# Flog Txt Version 1 # Analyzer Version: 3.2.2 # Analyzer Build Date: Jun 3 2020 08:38:37 # Log Creation Date: 04.09.2020 22:29:52.163 Process: id = "1" image_name = "winhost.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\winhost.exe" page_root = "0x4c17e000" os_pid = "0xa1c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x454" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\winhost.exe\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0xa10 [0033.377] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76d30000 [0033.378] GetProcAddress (hModule=0x76d30000, lpProcName="GetProcAddress") returned 0x76d41222 [0033.378] GetProcAddress (hModule=0x76d30000, lpProcName="GetModuleHandleW") returned 0x76d434b0 [0033.378] GetProcAddress (hModule=0x76d30000, lpProcName="FindNextFileW") returned 0x76d454ee [0033.378] GetProcAddress (hModule=0x76d30000, lpProcName="FindClose") returned 0x76d44442 [0033.378] GetProcAddress (hModule=0x76d30000, lpProcName="MoveFileW") returned 0x76d59af0 [0033.378] GetProcAddress (hModule=0x76d30000, lpProcName="GetFileSizeEx") returned 0x76d459e2 [0033.378] GetProcAddress (hModule=0x76d30000, lpProcName="GetModuleFileNameW") returned 0x76d44950 [0033.378] GetProcAddress (hModule=0x76d30000, lpProcName="GetFileAttributesW") returned 0x76d41b18 [0033.378] GetProcAddress (hModule=0x76d30000, lpProcName="ExitProcess") returned 0x76d47a10 [0033.378] GetProcAddress (hModule=0x76d30000, lpProcName="GetCommandLineW") returned 0x76d45223 [0033.378] GetProcAddress (hModule=0x76d30000, lpProcName="GetComputerNameW") returned 0x76d4dd0e [0033.378] GetProcAddress (hModule=0x76d30000, lpProcName="GetComputerNameA") returned 0x76d5b6e0 [0033.378] GetProcAddress (hModule=0x76d30000, lpProcName="CreateMutexW") returned 0x76d4424c [0033.378] GetProcAddress (hModule=0x76d30000, lpProcName="lstrlenW") returned 0x76d41700 [0033.379] GetProcAddress (hModule=0x76d30000, lpProcName="lstrlenA") returned 0x76d45a4b [0033.379] GetProcAddress (hModule=0x76d30000, lpProcName="GetCurrentProcess") returned 0x76d41809 [0033.379] GetProcAddress (hModule=0x76d30000, lpProcName="WaitForSingleObject") returned 0x76d41136 [0033.379] GetProcAddress (hModule=0x76d30000, lpProcName="GetLogicalDrives") returned 0x76d45371 [0033.379] GetProcAddress (hModule=0x76d30000, lpProcName="GetTickCount") returned 0x76d4110c [0033.379] GetProcAddress (hModule=0x76d30000, lpProcName="DeleteFileW") returned 0x76d489b3 [0033.379] GetProcAddress (hModule=0x76d30000, lpProcName="WideCharToMultiByte") returned 0x76d4170d [0033.379] GetProcAddress (hModule=0x76d30000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x76d41916 [0033.379] GetProcAddress (hModule=0x76d30000, lpProcName="Sleep") returned 0x76d410ff [0033.379] GetProcAddress (hModule=0x76d30000, lpProcName="LeaveCriticalSection") returned 0x77c62270 [0033.379] GetProcAddress (hModule=0x76d30000, lpProcName="ReadFile") returned 0x76d43ed3 [0033.379] GetProcAddress (hModule=0x76d30000, lpProcName="CreateFileW") returned 0x76d43f5c [0033.379] GetProcAddress (hModule=0x76d30000, lpProcName="OpenMutexW") returned 0x76d45151 [0033.379] GetProcAddress (hModule=0x76d30000, lpProcName="EnterCriticalSection") returned 0x77c622b0 [0033.379] GetProcAddress (hModule=0x76d30000, lpProcName="WaitForMultipleObjects") returned 0x76d44220 [0033.379] GetProcAddress (hModule=0x76d30000, lpProcName="lstrcmpiW") returned 0x76d5d5cd [0033.379] GetProcAddress (hModule=0x76d30000, lpProcName="lstrcmpiA") returned 0x76d43e8e [0033.379] GetProcAddress (hModule=0x76d30000, lpProcName="DeleteCriticalSection") returned 0x77c745f5 [0033.379] GetProcAddress (hModule=0x76d30000, lpProcName="ReleaseMutex") returned 0x76d4111e [0033.379] GetProcAddress (hModule=0x76d30000, lpProcName="CloseHandle") returned 0x76d41410 [0033.380] GetProcAddress (hModule=0x76d30000, lpProcName="GetVersion") returned 0x76d44467 [0033.380] GetProcAddress (hModule=0x76d30000, lpProcName="CreateThread") returned 0x76d434d5 [0033.380] GetProcAddress (hModule=0x76d30000, lpProcName="ExpandEnvironmentStringsW") returned 0x76d44173 [0033.380] GetProcAddress (hModule=0x76d30000, lpProcName="QueryPerformanceCounter") returned 0x76d41725 [0033.380] GetProcAddress (hModule=0x76d30000, lpProcName="QueryPerformanceFrequency") returned 0x76d441f0 [0033.380] GetProcAddress (hModule=0x76d30000, lpProcName="GetCurrentProcessId") returned 0x76d411f8 [0033.380] GetProcAddress (hModule=0x76d30000, lpProcName="SetFileAttributesW") returned 0x76d5d4f7 [0033.380] GetProcAddress (hModule=0x76d30000, lpProcName="GetVolumeInformationW") returned 0x76d5c860 [0033.380] GetProcAddress (hModule=0x76d30000, lpProcName="WriteFile") returned 0x76d41282 [0033.380] GetProcAddress (hModule=0x76d30000, lpProcName="SetFilePointerEx") returned 0x76d5c807 [0033.380] GetProcAddress (hModule=0x76d30000, lpProcName="SetEndOfFile") returned 0x76d5ce2e [0033.380] GetProcAddress (hModule=0x76d30000, lpProcName="FindFirstFileW") returned 0x76d44435 [0033.380] GetProcAddress (hModule=0x76d30000, lpProcName="GetProcessHeap") returned 0x76d414e9 [0033.380] GetProcAddress (hModule=0x76d30000, lpProcName="HeapReAlloc") returned 0x77c81f6e [0033.380] GetProcAddress (hModule=0x76d30000, lpProcName="HeapAlloc") returned 0x77c6e026 [0033.380] GetProcAddress (hModule=0x76d30000, lpProcName="HeapFree") returned 0x76d414c9 [0033.380] GetProcAddress (hModule=0x76d30000, lpProcName="CreatePipe") returned 0x76dc415b [0033.380] GetProcAddress (hModule=0x76d30000, lpProcName="SetHandleInformation") returned 0x76d5195c [0033.380] GetProcAddress (hModule=0x76d30000, lpProcName="CreateProcessW") returned 0x76d4103d [0033.380] GetProcAddress (hModule=0x76d30000, lpProcName="CompareStringW") returned 0x76d43bca [0033.381] GetProcAddress (hModule=0x76d30000, lpProcName="CompareStringA") returned 0x76d43c5a [0033.381] GetProcAddress (hModule=0x76d30000, lpProcName="OpenProcess") returned 0x76d41986 [0033.381] GetProcAddress (hModule=0x76d30000, lpProcName="TerminateProcess") returned 0x76d5d802 [0033.381] GetProcAddress (hModule=0x76d30000, lpProcName="GetSystemTime") returned 0x76d45a96 [0033.381] GetProcAddress (hModule=0x76d30000, lpProcName="SystemTimeToFileTime") returned 0x76d45a7e [0033.381] GetProcAddress (hModule=0x76d30000, lpProcName="GetLastError") returned 0x76d411c0 [0033.381] GetProcAddress (hModule=0x76d30000, lpProcName="CreateToolhelp32Snapshot") returned 0x76d6735f [0033.381] GetProcAddress (hModule=0x76d30000, lpProcName="Process32NextW") returned 0x76d6896c [0033.381] GetProcAddress (hModule=0x76d30000, lpProcName="Process32FirstW") returned 0x76d68baf [0033.381] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77710000 [0035.740] GetProcAddress (hModule=0x77710000, lpProcName="RegOpenKeyExW") returned 0x7772468d [0035.741] GetProcAddress (hModule=0x77710000, lpProcName="RegQueryValueExW") returned 0x777246ad [0035.741] GetProcAddress (hModule=0x77710000, lpProcName="RegSetValueExW") returned 0x777214d6 [0035.741] GetProcAddress (hModule=0x77710000, lpProcName="RegCloseKey") returned 0x7772469d [0035.741] GetProcAddress (hModule=0x77710000, lpProcName="OpenProcessToken") returned 0x77724304 [0035.741] GetProcAddress (hModule=0x77710000, lpProcName="GetTokenInformation") returned 0x7772431c [0035.741] GetProcAddress (hModule=0x77710000, lpProcName="OpenSCManagerW") returned 0x7771ca64 [0035.741] GetProcAddress (hModule=0x77710000, lpProcName="OpenServiceW") returned 0x7771ca4c [0035.741] GetProcAddress (hModule=0x77710000, lpProcName="CloseServiceHandle") returned 0x7772369c [0035.741] GetProcAddress (hModule=0x77710000, lpProcName="ControlService") returned 0x77737144 [0035.741] GetProcAddress (hModule=0x77710000, lpProcName="QueryServiceStatus") returned 0x77722a86 [0035.741] GetProcAddress (hModule=0x77710000, lpProcName="EnumDependentServicesW") returned 0x77711e3a [0035.741] GetProcAddress (hModule=0x77710000, lpProcName="EnumServicesStatusExW") returned 0x7771b466 [0035.742] LoadLibraryA (lpLibFileName="user32.dll") returned 0x77130000 [0037.925] GetProcAddress (hModule=0x77130000, lpProcName="SystemParametersInfoW") returned 0x771490d3 [0037.925] LoadLibraryA (lpLibFileName="Shell32.dll") returned 0x759d0000 [0041.146] GetProcAddress (hModule=0x759d0000, lpProcName="ShellExecuteExW") returned 0x759f1e46 [0041.146] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77c40000 [0041.147] GetProcAddress (hModule=0x77c40000, lpProcName="NtQuerySystemInformation") returned 0x77c5fda0 [0041.147] LoadLibraryA (lpLibFileName="mpr.dll") returned 0x75660000 [0042.020] GetProcAddress (hModule=0x75660000, lpProcName="WNetCloseEnum") returned 0x75662dd6 [0042.020] GetProcAddress (hModule=0x75660000, lpProcName="WNetOpenEnumW") returned 0x75662f06 [0042.020] GetProcAddress (hModule=0x75660000, lpProcName="WNetEnumResourceW") returned 0x75663058 [0042.020] LoadLibraryA (lpLibFileName="ws2_32.dll") returned 0x77230000 [0042.445] GetProcAddress (hModule=0x77230000, lpProcName="WSAStartup") returned 0x77233ab2 [0042.445] GetProcAddress (hModule=0x77230000, lpProcName="socket") returned 0x77233eb8 [0042.445] GetProcAddress (hModule=0x77230000, lpProcName="send") returned 0x77236f01 [0042.445] GetProcAddress (hModule=0x77230000, lpProcName="recv") returned 0x77236b0e [0042.445] GetProcAddress (hModule=0x77230000, lpProcName="connect") returned 0x77236bdd [0042.445] GetProcAddress (hModule=0x77230000, lpProcName="closesocket") returned 0x77233918 [0042.445] GetProcAddress (hModule=0x77230000, lpProcName="gethostbyname") returned 0x77247673 [0042.445] GetProcAddress (hModule=0x77230000, lpProcName="inet_addr") returned 0x7723311b [0042.445] GetProcAddress (hModule=0x77230000, lpProcName="ntohl") returned 0x77232d57 [0042.445] GetProcAddress (hModule=0x77230000, lpProcName="htonl") returned 0x77232d57 [0042.446] GetProcAddress (hModule=0x77230000, lpProcName="htons") returned 0x77232d8b [0042.446] GetProcessHeap () returned 0x5f0000 [0042.446] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x20) returned 0x6040d0 [0042.446] QueryPerformanceCounter (in: lpPerformanceCount=0x18fdb8 | out: lpPerformanceCount=0x18fdb8*=16271858128) returned 1 [0042.447] GetTickCount () returned 0x1144876 [0042.447] GetCurrentProcessId () returned 0xa1c [0042.447] GetTickCount () returned 0x1144876 [0042.447] GetTickCount () returned 0x1144876 [0042.447] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x20) returned 0x6040f8 [0042.447] GetVersion () returned 0x1db10106 [0042.447] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x7) returned 0x6007c8 [0042.448] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x600bd8 [0042.448] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x600bd8, Size=0x20) returned 0x604148 [0042.448] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604148, Size=0x40) returned 0x604d10 [0042.448] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x604d58 [0042.448] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_1803FRA") returned 0x0 [0042.448] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\syncronize_1803FRA") returned 0x88 [0042.448] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6007c8 | out: hHeap=0x5f0000) returned 1 [0042.448] lstrlenW (lpString="Global\\syncronize_") returned 18 [0042.448] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x604d10 | out: hHeap=0x5f0000) returned 1 [0042.448] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x7) returned 0x6007c8 [0042.448] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x600bd8 [0042.448] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x600bd8, Size=0x20) returned 0x604148 [0042.448] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604148, Size=0x40) returned 0x604d10 [0042.448] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x614d60 [0042.449] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_1803FRU") returned 0x0 [0042.449] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\syncronize_1803FRU") returned 0x8c [0042.449] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6007c8 | out: hHeap=0x5f0000) returned 1 [0042.449] lstrlenW (lpString="Global\\syncronize_") returned 18 [0042.449] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x604d10 | out: hHeap=0x5f0000) returned 1 [0042.449] GetVersion () returned 0x1db10106 [0042.449] GetCurrentProcess () returned 0xffffffff [0042.449] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18fda4 | out: TokenHandle=0x18fda4*=0x90) returned 1 [0042.449] GetTokenInformation (in: TokenHandle=0x90, TokenInformationClass=0x14, TokenInformation=0x18fda0, TokenInformationLength=0x4, ReturnLength=0x18fdac | out: TokenInformation=0x18fda0, ReturnLength=0x18fdac) returned 1 [0042.449] CloseHandle (hObject=0x90) returned 1 [0042.449] WaitForSingleObject (hHandle=0x8c, dwMilliseconds=0x0) returned 0x0 [0042.449] WaitForSingleObject (hHandle=0x88, dwMilliseconds=0x3e8) returned 0x0 [0042.449] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x14) returned 0x6007c8 [0042.449] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x600bd8 [0042.449] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x600bd8, Size=0x20) returned 0x604148 [0042.449] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604148, Size=0x40) returned 0x604d10 [0042.449] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604d10, Size=0x80) returned 0x624d68 [0042.449] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624d68, Size=0x100) returned 0x624d68 [0042.449] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x34) returned 0x604d10 [0042.449] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x4) returned 0x6007e8 [0042.450] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x4) returned 0x624e70 [0042.450] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x624e80 [0042.450] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x600bd8 [0042.450] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x4) returned 0x624e90 [0042.450] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x600bf0 [0042.450] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624e90, Size=0x8) returned 0x624e90 [0042.450] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x600c08 [0042.450] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624e90, Size=0x10) returned 0x624e90 [0042.450] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x600c20 [0042.450] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x600c38 [0042.450] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624e90, Size=0x20) returned 0x624e90 [0042.450] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x600c50 [0042.450] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x600c68 [0042.450] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6007e8, Size=0x8) returned 0x6007e8 [0042.450] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624e70, Size=0x8) returned 0x624e70 [0042.450] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x624eb8 [0042.450] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x600c80 [0042.450] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x4) returned 0x624ec8 [0042.450] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x600c98 [0042.450] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624ec8, Size=0x8) returned 0x624ec8 [0042.450] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x624ef0 [0042.450] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624ec8, Size=0x10) returned 0x6252d8 [0042.450] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x624f08 [0042.450] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x624ec8 [0042.450] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6252d8, Size=0x20) returned 0x6252d8 [0042.450] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6007e8, Size=0x10) returned 0x625300 [0042.450] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624e70, Size=0x10) returned 0x625318 [0042.450] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x624e70 [0042.450] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x624f20 [0042.450] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x4) returned 0x6007e8 [0042.450] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x624f38 [0042.450] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6007e8, Size=0x8) returned 0x6007e8 [0042.450] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x625330 [0042.450] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x624f50 [0042.450] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x4) returned 0x625340 [0042.450] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x624f68 [0042.450] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x625340, Size=0x8) returned 0x625340 [0042.450] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x625300, Size=0x20) returned 0x625350 [0042.451] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x625318, Size=0x20) returned 0x625378 [0042.451] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x625300 [0042.451] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x624f80 [0042.451] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x4) returned 0x625310 [0042.451] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x624f98 [0042.451] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x625310, Size=0x8) returned 0x625310 [0042.451] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x14) returned 0x6253a0 [0042.451] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x14) returned 0x6253c0 [0042.451] lstrlenW (lpString="doc(.doc;.docx;.pdf;.xls;.xlsx;.ppt;)arc(.zip;.rar;.bz2;.7z;)dbf(.dbf;)1c8(.1cd;)jpg(.jpg;)") returned 91 [0042.451] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x624d68 | out: hHeap=0x5f0000) returned 1 [0042.451] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x18fdf0 | out: lpWSAData=0x18fdf0) returned 0 [0042.462] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624fb0 [0042.462] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624fb0, Size=0x20) returned 0x604350 [0042.462] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604350, Size=0x40) returned 0x624dc0 [0042.462] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624dc0, Size=0x80) returned 0x624dc0 [0042.462] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624dc0, Size=0x100) returned 0x625698 [0042.462] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624fb0 [0042.462] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624fb0, Size=0x20) returned 0x604350 [0042.462] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604350, Size=0x40) returned 0x624dc0 [0042.462] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624dc0, Size=0x80) returned 0x624dc0 [0042.462] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624dc0, Size=0x100) returned 0x6257a0 [0042.462] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x624fb0 [0042.462] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x4) returned 0x625320 [0042.462] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624fc8 [0042.462] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x625320, Size=0x8) returned 0x625320 [0042.462] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x14) returned 0x624dc0 [0042.462] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x625320, Size=0x10) returned 0x624de0 [0042.462] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x18) returned 0x624df8 [0042.462] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x1a) returned 0x604350 [0042.462] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624de0, Size=0x20) returned 0x624e18 [0042.462] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x1c) returned 0x604378 [0042.462] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x16) returned 0x624e40 [0042.462] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x1a) returned 0x6043a0 [0042.462] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x624fe0 [0042.462] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x4) returned 0x624e60 [0042.462] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40) returned 0x6258a8 [0042.462] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624e60, Size=0x8) returned 0x624e60 [0042.462] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x3c) returned 0x6258f0 [0042.462] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624e60, Size=0x10) returned 0x624de0 [0042.462] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x14) returned 0x625938 [0042.462] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x18) returned 0x625958 [0042.462] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624de0, Size=0x20) returned 0x625978 [0042.462] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x24) returned 0x6259a0 [0042.462] lstrlenW (lpString="1c8.exe;1cv77.exe;outlook.exe;postgres.exe;mysqld-nt.exe;mysqld.exe;sqlservr.exe;") returned 81 [0042.463] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625698 | out: hHeap=0x5f0000) returned 1 [0042.463] lstrlenW (lpString="FirebirdGuardianDefaultInstance;FirebirdServerDefaultInstance;sqlwriter;mssqlserver;sqlserveradhelper;") returned 102 [0042.463] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6257a0 | out: hHeap=0x5f0000) returned 1 [0042.463] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x625f20 [0042.468] EnumServicesStatusExW (in: hSCManager=0x625f20, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x18fd8c, lpServicesReturned=0x18fda4, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x18fd8c, lpServicesReturned=0x18fda4, lpResumeHandle=0x0) returned 0 [0042.469] GetLastError () returned 0xea [0042.469] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x11e4) returned 0x629820 [0042.469] EnumServicesStatusExW (in: hSCManager=0x625f20, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x629820, cbBufSize=0x11e4, pcbBytesNeeded=0x18fd8c, lpServicesReturned=0x18fda4, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x629820, pcbBytesNeeded=0x18fd8c, lpServicesReturned=0x18fda4, lpResumeHandle=0x0) returned 1 [0042.470] CloseServiceHandle (hSCObject=0x625f20) returned 1 [0042.472] lstrlenW (lpString="Appinfo") returned 7 [0042.472] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0042.472] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0042.473] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0042.473] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0042.473] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0042.473] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0042.473] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0042.473] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0042.473] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0042.473] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0042.473] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0042.473] lstrlenW (lpString="AudioSrv") returned 8 [0042.473] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0042.473] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0042.473] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0042.473] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0042.473] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0042.473] lstrlenW (lpString="BFE") returned 3 [0042.473] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0042.473] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0042.473] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0042.473] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0042.473] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0042.473] lstrlenW (lpString="CryptSvc") returned 8 [0042.473] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0042.473] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0042.473] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0042.473] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0042.473] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0042.474] lstrlenW (lpString="CscService") returned 10 [0042.474] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0042.474] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0042.474] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0042.474] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0042.474] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0042.474] lstrlenW (lpString="DcomLaunch") returned 10 [0042.474] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0042.474] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0042.474] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0042.474] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0042.474] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0042.474] lstrlenW (lpString="Dhcp") returned 4 [0042.474] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0042.474] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0042.474] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0042.474] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0042.474] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0042.474] lstrlenW (lpString="Dnscache") returned 8 [0042.474] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0042.474] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0042.474] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0042.474] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0042.474] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0042.474] lstrlenW (lpString="DPS") returned 3 [0042.474] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0042.474] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0042.474] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0042.474] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0042.474] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0042.474] lstrlenW (lpString="eventlog") returned 8 [0042.474] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0042.474] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0042.474] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0042.475] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0042.475] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0042.475] lstrlenW (lpString="EventSystem") returned 11 [0042.475] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0042.475] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0042.475] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0042.475] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0042.475] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0042.475] lstrlenW (lpString="gpsvc") returned 5 [0042.475] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0042.475] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0042.475] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0042.475] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0042.475] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0042.475] lstrlenW (lpString="iphlpsvc") returned 8 [0042.475] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0042.475] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0042.475] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0042.475] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0042.475] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0042.475] lstrlenW (lpString="LanmanServer") returned 12 [0042.475] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0042.475] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0042.475] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0042.475] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0042.475] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0042.475] lstrlenW (lpString="LanmanWorkstation") returned 17 [0042.475] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0042.475] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0042.475] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0042.475] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0042.475] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0042.475] lstrlenW (lpString="lmhosts") returned 7 [0042.475] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0042.476] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0042.476] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0042.476] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0042.476] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0042.476] lstrlenW (lpString="MMCSS") returned 5 [0042.476] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0042.476] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0042.476] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0042.476] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0042.476] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0042.476] lstrlenW (lpString="MpsSvc") returned 6 [0042.476] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0042.476] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0042.476] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0042.476] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0042.476] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0042.476] lstrlenW (lpString="Netman") returned 6 [0042.476] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0042.476] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0042.476] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0042.476] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0042.476] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0042.476] lstrlenW (lpString="netprofm") returned 8 [0042.476] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0042.476] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0042.476] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0042.476] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0042.476] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0042.476] lstrlenW (lpString="NlaSvc") returned 6 [0042.476] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0042.476] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0042.477] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0042.477] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0042.477] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0042.477] lstrlenW (lpString="nsi") returned 3 [0042.477] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0042.477] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0042.477] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0042.477] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0042.477] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0042.477] lstrlenW (lpString="PcaSvc") returned 6 [0042.477] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0042.477] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0042.477] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0042.477] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0042.477] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0042.477] lstrlenW (lpString="PlugPlay") returned 8 [0042.477] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0042.477] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0042.477] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0042.477] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0042.477] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0042.477] lstrlenW (lpString="Power") returned 5 [0042.477] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0042.477] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0042.477] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0042.477] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0042.477] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0042.477] lstrlenW (lpString="ProfSvc") returned 7 [0042.477] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0042.478] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0042.478] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0042.478] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0042.478] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0042.478] lstrlenW (lpString="RpcEptMapper") returned 12 [0042.478] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0042.478] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0042.478] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0042.478] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0042.478] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0042.478] lstrlenW (lpString="RpcSs") returned 5 [0042.478] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0042.478] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0042.478] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0042.478] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0042.478] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0042.478] lstrlenW (lpString="SamSs") returned 5 [0042.478] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0042.478] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0042.478] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0042.478] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0042.478] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0042.478] lstrlenW (lpString="Schedule") returned 8 [0042.478] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0042.478] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0042.478] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0042.478] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0042.478] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0042.478] lstrlenW (lpString="SENS") returned 4 [0042.478] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0042.478] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0042.478] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0042.479] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0042.479] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0042.479] lstrlenW (lpString="ShellHWDetection") returned 16 [0042.479] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0042.479] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0042.479] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0042.479] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0042.479] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0042.479] lstrlenW (lpString="Spooler") returned 7 [0042.479] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0042.479] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0042.479] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0042.479] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0042.479] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0042.479] lstrlenW (lpString="SysMain") returned 7 [0042.479] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0042.479] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0042.479] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0042.479] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0042.479] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0042.479] lstrlenW (lpString="Themes") returned 6 [0042.479] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0042.479] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0042.479] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0042.479] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0042.479] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0042.479] lstrlenW (lpString="TrkWks") returned 6 [0042.479] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0042.479] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0042.479] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0042.479] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0042.479] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0042.480] lstrlenW (lpString="UxSms") returned 5 [0042.480] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0042.480] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0042.480] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0042.480] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0042.480] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0042.480] lstrlenW (lpString="WdiServiceHost") returned 14 [0042.480] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0042.480] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0042.480] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0042.480] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0042.480] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0042.480] lstrlenW (lpString="WdiSystemHost") returned 13 [0042.480] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0042.480] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0042.480] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0042.480] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0042.480] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0042.480] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0042.480] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0042.480] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0042.480] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0042.480] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0042.480] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0042.480] lstrlenW (lpString="Winmgmt") returned 7 [0042.480] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0042.480] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0042.480] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0042.480] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0042.480] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0042.480] lstrlenW (lpString="WPDBusEnum") returned 10 [0042.480] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0042.480] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0042.480] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0042.480] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0042.480] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0042.481] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x629820 | out: hHeap=0x5f0000) returned 1 [0042.481] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xe4 [0042.485] Process32FirstW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0042.485] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0042.485] lstrlenW (lpString="System") returned 6 [0042.486] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0042.486] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0042.486] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0042.486] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0042.486] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0042.486] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0042.486] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0042.486] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0042.486] lstrlenW (lpString="smss.exe") returned 8 [0042.486] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0042.486] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0042.486] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0042.486] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0042.486] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0042.486] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0042.486] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0042.486] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0042.487] lstrlenW (lpString="csrss.exe") returned 9 [0042.487] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0042.487] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0042.487] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0042.487] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0042.487] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0042.487] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0042.487] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0042.487] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0042.487] lstrlenW (lpString="wininit.exe") returned 11 [0042.487] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0042.487] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0042.487] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0042.487] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0042.487] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0042.487] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0042.487] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0042.487] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0042.487] lstrlenW (lpString="csrss.exe") returned 9 [0042.488] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0042.488] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0042.488] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0042.488] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0042.488] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0042.488] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0042.488] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0042.488] lstrlenW (lpString="winlogon.exe") returned 12 [0042.488] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0042.489] lstrlenW (lpString="services.exe") returned 12 [0042.489] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0042.489] lstrlenW (lpString="lsass.exe") returned 9 [0042.489] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0042.489] lstrlenW (lpString="lsm.exe") returned 7 [0042.489] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.490] lstrlenW (lpString="svchost.exe") returned 11 [0042.490] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.490] lstrlenW (lpString="svchost.exe") returned 11 [0042.490] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.490] lstrlenW (lpString="svchost.exe") returned 11 [0042.490] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.491] lstrlenW (lpString="svchost.exe") returned 11 [0042.491] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.491] lstrlenW (lpString="svchost.exe") returned 11 [0042.491] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0042.491] lstrlenW (lpString="audiodg.exe") returned 11 [0042.491] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.491] lstrlenW (lpString="svchost.exe") returned 11 [0042.492] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.492] lstrlenW (lpString="svchost.exe") returned 11 [0042.492] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0042.492] lstrlenW (lpString="dwm.exe") returned 7 [0042.492] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0042.492] lstrlenW (lpString="explorer.exe") returned 12 [0042.492] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0042.493] lstrlenW (lpString="spoolsv.exe") returned 11 [0042.493] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.493] lstrlenW (lpString="svchost.exe") returned 11 [0042.493] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0042.493] lstrlenW (lpString="taskhost.exe") returned 12 [0042.493] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0042.494] lstrlenW (lpString="taskeng.exe") returned 11 [0042.494] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="encryption-billing-finishing.exe")) returned 1 [0042.494] lstrlenW (lpString="encryption-billing-finishing.exe") returned 32 [0042.494] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="le_inn_ending.exe")) returned 1 [0042.494] lstrlenW (lpString="le_inn_ending.exe") returned 17 [0042.494] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="hung-automobiles-concerning.exe")) returned 1 [0042.495] lstrlenW (lpString="hung-automobiles-concerning.exe") returned 31 [0042.495] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="celebrateowen.exe")) returned 1 [0042.495] lstrlenW (lpString="celebrateowen.exe") returned 17 [0042.495] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="highlights.exe")) returned 1 [0042.495] lstrlenW (lpString="highlights.exe") returned 14 [0042.495] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="armorthunder.exe")) returned 1 [0042.495] lstrlenW (lpString="armorthunder.exe") returned 16 [0042.495] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sci_vietnam_baby.exe")) returned 1 [0042.496] lstrlenW (lpString="sci_vietnam_baby.exe") returned 20 [0042.496] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="root.exe")) returned 1 [0042.496] lstrlenW (lpString="root.exe") returned 8 [0042.496] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="searches.exe")) returned 1 [0042.496] lstrlenW (lpString="searches.exe") returned 12 [0042.496] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gnu.exe")) returned 1 [0042.497] lstrlenW (lpString="gnu.exe") returned 7 [0042.497] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lat differences.exe")) returned 1 [0042.497] lstrlenW (lpString="lat differences.exe") returned 19 [0042.497] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="wetdelayed.exe")) returned 1 [0042.497] lstrlenW (lpString="wetdelayed.exe") returned 14 [0042.497] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scarydm.exe")) returned 1 [0042.498] lstrlenW (lpString="scarydm.exe") returned 11 [0042.498] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="relating coating ride.exe")) returned 1 [0042.498] lstrlenW (lpString="relating coating ride.exe") returned 25 [0042.498] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="compressed.exe")) returned 1 [0042.498] lstrlenW (lpString="compressed.exe") returned 14 [0042.498] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x600, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="installing.exe")) returned 1 [0042.498] lstrlenW (lpString="installing.exe") returned 14 [0042.498] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="jewellerycoloradokijiji.exe")) returned 1 [0042.499] lstrlenW (lpString="jewellerycoloradokijiji.exe") returned 27 [0042.499] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="promote_counted_attempted.exe")) returned 1 [0042.499] lstrlenW (lpString="promote_counted_attempted.exe") returned 29 [0042.499] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0042.499] lstrlenW (lpString="3dftp.exe") returned 9 [0042.499] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0042.500] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0042.500] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0042.500] lstrlenW (lpString="alftp.exe") returned 9 [0042.500] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0042.500] lstrlenW (lpString="barca.exe") returned 9 [0042.500] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x664, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0042.501] lstrlenW (lpString="bitkinex.exe") returned 12 [0042.501] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0042.501] lstrlenW (lpString="coreftp.exe") returned 11 [0042.501] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0042.501] lstrlenW (lpString="far.exe") returned 7 [0042.501] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0042.501] lstrlenW (lpString="filezilla.exe") returned 13 [0042.501] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0042.502] lstrlenW (lpString="flashfxp.exe") returned 12 [0042.502] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0042.502] lstrlenW (lpString="fling.exe") returned 9 [0042.502] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0042.502] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0042.502] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0042.503] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0042.503] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0042.503] lstrlenW (lpString="icq.exe") returned 7 [0042.503] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0042.503] lstrlenW (lpString="leechftp.exe") returned 12 [0042.503] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0042.503] lstrlenW (lpString="ncftp.exe") returned 9 [0042.504] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0042.504] lstrlenW (lpString="notepad.exe") returned 11 [0042.504] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0042.504] lstrlenW (lpString="operamail.exe") returned 13 [0042.504] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x81c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0042.505] lstrlenW (lpString="outlook.exe") returned 11 [0042.511] CloseHandle (hObject=0xe8) returned 1 [0042.511] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0042.511] lstrlenW (lpString="pidgin.exe") returned 10 [0042.511] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0042.512] lstrlenW (lpString="scriptftp.exe") returned 13 [0042.512] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0042.512] lstrlenW (lpString="skype.exe") returned 9 [0042.512] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0042.512] lstrlenW (lpString="smartftp.exe") returned 12 [0042.512] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0042.513] lstrlenW (lpString="thunderbird.exe") returned 15 [0042.513] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0042.513] lstrlenW (lpString="totalcmd.exe") returned 12 [0042.513] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0042.514] lstrlenW (lpString="trillian.exe") returned 12 [0042.514] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0042.514] lstrlenW (lpString="webdrive.exe") returned 12 [0042.514] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0042.514] lstrlenW (lpString="whatsapp.exe") returned 12 [0042.514] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0042.515] lstrlenW (lpString="winscp.exe") returned 10 [0042.515] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0042.515] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0042.515] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0042.515] lstrlenW (lpString="active-charge.exe") returned 17 [0042.516] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0042.516] lstrlenW (lpString="accupos.exe") returned 11 [0042.516] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0042.516] lstrlenW (lpString="afr38.exe") returned 9 [0042.516] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0042.517] lstrlenW (lpString="aldelo.exe") returned 10 [0042.517] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0042.517] lstrlenW (lpString="ccv_server.exe") returned 14 [0042.517] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0042.517] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0042.517] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0042.518] lstrlenW (lpString="creditservice.exe") returned 17 [0042.518] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0042.518] lstrlenW (lpString="edcsvr.exe") returned 10 [0042.518] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0042.518] lstrlenW (lpString="fpos.exe") returned 8 [0042.518] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0042.519] lstrlenW (lpString="isspos.exe") returned 10 [0042.519] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0042.519] lstrlenW (lpString="mxslipstream.exe") returned 16 [0042.519] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0042.520] lstrlenW (lpString="omnipos.exe") returned 11 [0042.520] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0042.520] lstrlenW (lpString="spcwin.exe") returned 10 [0042.520] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0042.520] lstrlenW (lpString="spgagentservice.exe") returned 19 [0042.520] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0042.521] lstrlenW (lpString="utg2.exe") returned 8 [0042.521] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="november_objects.exe")) returned 1 [0042.521] lstrlenW (lpString="november_objects.exe") returned 20 [0042.521] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vitamins_dealt.exe")) returned 1 [0042.521] lstrlenW (lpString="vitamins_dealt.exe") returned 18 [0042.521] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="peace_bite.exe")) returned 1 [0042.522] lstrlenW (lpString="peace_bite.exe") returned 14 [0042.522] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="earthquake forbidden waiting.exe")) returned 1 [0042.522] lstrlenW (lpString="earthquake forbidden waiting.exe") returned 32 [0042.522] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0042.522] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0042.522] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0042.523] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0042.523] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0042.523] lstrlenW (lpString="taskhost.exe") returned 12 [0042.523] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x918, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0042.523] lstrlenW (lpString="dllhost.exe") returned 11 [0042.523] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0042.524] lstrlenW (lpString="dllhost.exe") returned 11 [0042.524] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0042.524] lstrlenW (lpString="winhost.exe") returned 11 [0042.524] Process32NextW (in: hSnapshot=0xe4, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 0 [0042.524] CloseHandle (hObject=0xe4) returned 1 [0042.524] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6258a8 | out: hHeap=0x5f0000) returned 1 [0042.524] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6258f0 | out: hHeap=0x5f0000) returned 1 [0042.524] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625938 | out: hHeap=0x5f0000) returned 1 [0042.524] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625958 | out: hHeap=0x5f0000) returned 1 [0042.524] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6259a0 | out: hHeap=0x5f0000) returned 1 [0042.524] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x624fc8 | out: hHeap=0x5f0000) returned 1 [0042.524] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x624dc0 | out: hHeap=0x5f0000) returned 1 [0042.524] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x624df8 | out: hHeap=0x5f0000) returned 1 [0042.525] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x604350 | out: hHeap=0x5f0000) returned 1 [0042.525] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x604378 | out: hHeap=0x5f0000) returned 1 [0042.525] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x624e40 | out: hHeap=0x5f0000) returned 1 [0042.525] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6043a0 | out: hHeap=0x5f0000) returned 1 [0042.525] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x62ba68 [0042.525] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x63ba70 [0042.525] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624fc8 [0042.525] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624fc8, Size=0x20) returned 0x6043a0 [0042.525] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6043a0, Size=0x40) returned 0x6276f8 [0042.525] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624fc8 [0042.525] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624fc8, Size=0x20) returned 0x6043a0 [0042.525] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624fc8 [0042.525] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624fc8, Size=0x20) returned 0x604378 [0042.525] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624fc8 [0042.525] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624fc8, Size=0x20) returned 0x604350 [0042.525] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604350, Size=0x40) returned 0x627740 [0042.525] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x63ba70, nSize=0x7fff | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\winhost.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\winhost.exe")) returned 0x31 [0042.525] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x64ba78 [0042.526] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x65ba80 [0042.526] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624fc8 [0042.526] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624fc8, Size=0x20) returned 0x604350 [0042.526] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604350, Size=0x40) returned 0x627788 [0042.526] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x627788, Size=0x80) returned 0x6258a8 [0042.526] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6258a8, Size=0x100) returned 0x6271f0 [0042.526] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0042.526] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6271f0 | out: hHeap=0x5f0000) returned 1 [0042.526] ExpandEnvironmentStringsW (in: lpSrc="%windir%\\System32\\winhost.exe", lpDst=0x64ba78, nSize=0x7fff | out: lpDst="C:\\Windows\\System32\\winhost.exe") returned 0x20 [0042.526] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x65ba80 | out: hHeap=0x5f0000) returned 1 [0042.526] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x64ba78 | out: hHeap=0x5f0000) returned 1 [0042.526] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x100000) returned 0x1e10020 [0042.526] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624fc8 [0042.526] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624fc8, Size=0x20) returned 0x604350 [0042.526] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624fc8 [0042.526] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624fc8, Size=0x20) returned 0x625f70 [0042.526] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0042.526] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0042.527] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x0) returned 1 [0042.527] lstrlenW (lpString="kernel32.dll") returned 12 [0042.527] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x604350 | out: hHeap=0x5f0000) returned 1 [0042.527] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0042.527] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625f70 | out: hHeap=0x5f0000) returned 1 [0042.527] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\winhost.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\winhost.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe4 [0042.527] CreateFileW (lpFileName="C:\\Windows\\System32\\winhost.exe" (normalized: "c:\\windows\\system32\\winhost.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe8 [0042.528] ReadFile (in: hFile=0xe4, lpBuffer=0x1e10020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x1e10020*, lpNumberOfBytesRead=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0042.548] WriteFile (in: hFile=0xe8, lpBuffer=0x1e10020*, nNumberOfBytesToWrite=0x17200, lpNumberOfBytesWritten=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x1e10020*, lpNumberOfBytesWritten=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0042.552] ReadFile (in: hFile=0xe4, lpBuffer=0x1e10020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x1e10020*, lpNumberOfBytesRead=0x18fd98*=0x0, lpOverlapped=0x0) returned 1 [0042.552] CloseHandle (hObject=0xe8) returned 1 [0042.556] CloseHandle (hObject=0xe4) returned 1 [0042.556] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624fc8 [0042.556] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624fc8, Size=0x20) returned 0x625f70 [0042.556] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624fc8 [0042.556] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624fc8, Size=0x20) returned 0x625f20 [0042.557] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0042.557] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0042.557] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0042.557] lstrlenW (lpString="kernel32.dll") returned 12 [0042.557] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625f20 | out: hHeap=0x5f0000) returned 1 [0042.557] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0042.557] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625f70 | out: hHeap=0x5f0000) returned 1 [0042.557] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x1e10020 | out: hHeap=0x5f0000) returned 1 [0042.557] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624fc8 [0042.557] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624fc8, Size=0x20) returned 0x625f70 [0042.557] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x625f70, Size=0x40) returned 0x627788 [0042.557] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x627788, Size=0x80) returned 0x64ba90 [0042.558] lstrlenW (lpString="C:\\Windows\\System32\\winhost.exe") returned 31 [0042.558] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0042.558] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x5c) returned 0x6258a8 [0042.558] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", ulOptions=0x0, samDesired=0x20106, phkResult=0x18fd6c | out: phkResult=0x18fd6c*=0xe4) returned 0x0 [0042.558] RegSetValueExW (in: hKey=0xe4, lpValueName="winhost.exe", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\System32\\winhost.exe", cbData=0x3e | out: lpData="C:\\Windows\\System32\\winhost.exe") returned 0x0 [0042.559] RegCloseKey (hKey=0xe4) returned 0x0 [0042.559] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6258a8 | out: hHeap=0x5f0000) returned 1 [0042.560] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0042.560] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x64ba90 | out: hHeap=0x5f0000) returned 1 [0042.560] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x64da78 [0042.560] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x65da80 [0042.560] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624fc8 [0042.560] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624fc8, Size=0x20) returned 0x625f70 [0042.560] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x625f70, Size=0x40) returned 0x627788 [0042.560] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x627788, Size=0x80) returned 0x64ba90 [0042.560] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x64ba90, Size=0x100) returned 0x6271f0 [0042.560] lstrlenW (lpString="") returned 0 [0042.560] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0042.560] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8c) returned 0x6272f8 [0042.560] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x18fd18 | out: phkResult=0x18fd18*=0xe4) returned 0x0 [0042.560] RegQueryValueExW (in: hKey=0xe4, lpValueName="Startup", lpReserved=0x0, lpType=0x18fd24, lpData=0x65da80, lpcbData=0x18fd50*=0x7fff | out: lpType=0x18fd24*=0x0, lpData=0x65da80*=0x53, lpcbData=0x18fd50*=0x7fff) returned 0x2 [0042.560] RegCloseKey (hKey=0xe4) returned 0x0 [0042.560] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6272f8 | out: hHeap=0x5f0000) returned 1 [0042.560] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0042.560] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8c) returned 0x6272f8 [0042.560] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x18fd18 | out: phkResult=0x18fd18*=0xe8) returned 0x0 [0042.561] RegQueryValueExW (in: hKey=0xe8, lpValueName="Startup", lpReserved=0x0, lpType=0x18fd24, lpData=0x65da80, lpcbData=0x18fd50*=0x7fff | out: lpType=0x18fd24*=0x2, lpData="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0x18fd50*=0x98) returned 0x0 [0042.561] RegCloseKey (hKey=0xe8) returned 0x0 [0042.561] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6272f8 | out: hHeap=0x5f0000) returned 1 [0042.561] lstrlenW (lpString="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 75 [0042.561] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0042.561] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6271f0 | out: hHeap=0x5f0000) returned 1 [0042.561] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\winhost.exe", lpDst=0x64da78, nSize=0x7fff | out: lpDst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\winhost.exe") returned 0x68 [0042.561] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x65da80 | out: hHeap=0x5f0000) returned 1 [0042.561] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x64da78 | out: hHeap=0x5f0000) returned 1 [0042.561] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x100000) returned 0x1e10020 [0042.562] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624ff8 [0042.562] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624ff8, Size=0x20) returned 0x625f70 [0042.562] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624ff8 [0042.562] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624ff8, Size=0x20) returned 0x625f20 [0042.562] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0042.562] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0042.562] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0042.562] lstrlenW (lpString="kernel32.dll") returned 12 [0042.562] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625f70 | out: hHeap=0x5f0000) returned 1 [0042.562] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0042.562] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625f20 | out: hHeap=0x5f0000) returned 1 [0042.562] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\winhost.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\winhost.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe8 [0042.562] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\winhost.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\winhost.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0042.566] ReadFile (in: hFile=0xe8, lpBuffer=0x1e10020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x1e10020*, lpNumberOfBytesRead=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0042.595] WriteFile (in: hFile=0xec, lpBuffer=0x1e10020*, nNumberOfBytesToWrite=0x17200, lpNumberOfBytesWritten=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x1e10020*, lpNumberOfBytesWritten=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0042.599] ReadFile (in: hFile=0xe8, lpBuffer=0x1e10020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x1e10020*, lpNumberOfBytesRead=0x18fd98*=0x0, lpOverlapped=0x0) returned 1 [0042.599] CloseHandle (hObject=0xec) returned 1 [0042.601] CloseHandle (hObject=0xe8) returned 1 [0042.601] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624ff8 [0042.601] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624ff8, Size=0x20) returned 0x625f20 [0042.601] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624ff8 [0042.602] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624ff8, Size=0x20) returned 0x625f70 [0042.602] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0042.602] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0042.602] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0042.602] lstrlenW (lpString="kernel32.dll") returned 12 [0042.602] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625f70 | out: hHeap=0x5f0000) returned 1 [0042.602] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0042.602] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625f20 | out: hHeap=0x5f0000) returned 1 [0042.602] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x1e10020 | out: hHeap=0x5f0000) returned 1 [0042.602] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x64da78 [0042.602] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x65da80 [0042.602] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624ff8 [0042.602] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624ff8, Size=0x20) returned 0x625f20 [0042.603] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x625f20, Size=0x40) returned 0x627788 [0042.603] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x627788, Size=0x80) returned 0x64ba90 [0042.603] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x64ba90, Size=0x100) returned 0x6271f0 [0042.603] lstrlenW (lpString="") returned 0 [0042.603] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0042.603] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8c) returned 0x6272f8 [0042.603] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x18fd18 | out: phkResult=0x18fd18*=0xe8) returned 0x0 [0042.603] RegQueryValueExW (in: hKey=0xe8, lpValueName="Common Startup", lpReserved=0x0, lpType=0x18fd24, lpData=0x65da80, lpcbData=0x18fd50*=0x7fff | out: lpType=0x18fd24*=0x2, lpData="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0x18fd50*=0x78) returned 0x0 [0042.603] RegCloseKey (hKey=0xe8) returned 0x0 [0042.603] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6272f8 | out: hHeap=0x5f0000) returned 1 [0042.603] lstrlenW (lpString="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 59 [0042.603] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0042.603] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6271f0 | out: hHeap=0x5f0000) returned 1 [0042.603] ExpandEnvironmentStringsW (in: lpSrc="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\winhost.exe", lpDst=0x64da78, nSize=0x7fff | out: lpDst="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\winhost.exe") returned 0x49 [0042.603] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x65da80 | out: hHeap=0x5f0000) returned 1 [0042.603] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x64da78 | out: hHeap=0x5f0000) returned 1 [0042.603] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x100000) returned 0x1e10020 [0042.604] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624ff8 [0042.604] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624ff8, Size=0x20) returned 0x625f20 [0042.604] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624ff8 [0042.604] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624ff8, Size=0x20) returned 0x625f70 [0042.604] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0042.604] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0042.604] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0042.604] lstrlenW (lpString="kernel32.dll") returned 12 [0042.604] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625f20 | out: hHeap=0x5f0000) returned 1 [0042.604] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0042.604] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625f70 | out: hHeap=0x5f0000) returned 1 [0042.604] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\winhost.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\winhost.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe8 [0042.604] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\winhost.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\winhost.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0042.606] ReadFile (in: hFile=0xe8, lpBuffer=0x1e10020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x1e10020*, lpNumberOfBytesRead=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0042.620] WriteFile (in: hFile=0xec, lpBuffer=0x1e10020*, nNumberOfBytesToWrite=0x17200, lpNumberOfBytesWritten=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x1e10020*, lpNumberOfBytesWritten=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0042.623] ReadFile (in: hFile=0xe8, lpBuffer=0x1e10020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x1e10020*, lpNumberOfBytesRead=0x18fd98*=0x0, lpOverlapped=0x0) returned 1 [0042.623] CloseHandle (hObject=0xec) returned 1 [0042.624] CloseHandle (hObject=0xe8) returned 1 [0042.624] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624ff8 [0042.625] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624ff8, Size=0x20) returned 0x625f70 [0042.625] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624ff8 [0042.625] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624ff8, Size=0x20) returned 0x625f20 [0042.625] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0042.625] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0042.625] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0042.625] lstrlenW (lpString="kernel32.dll") returned 12 [0042.625] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625f20 | out: hHeap=0x5f0000) returned 1 [0042.625] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0042.625] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625f70 | out: hHeap=0x5f0000) returned 1 [0042.625] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x1e10020 | out: hHeap=0x5f0000) returned 1 [0042.625] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x62ba68 | out: hHeap=0x5f0000) returned 1 [0042.625] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63ba70 | out: hHeap=0x5f0000) returned 1 [0042.625] lstrlenW (lpString="%windir%\\System32") returned 17 [0042.625] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6276f8 | out: hHeap=0x5f0000) returned 1 [0042.626] lstrlenW (lpString="%appdata%") returned 9 [0042.626] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6043a0 | out: hHeap=0x5f0000) returned 1 [0042.626] lstrlenW (lpString="%sh(Startup)%") returned 13 [0042.626] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x604378 | out: hHeap=0x5f0000) returned 1 [0042.626] lstrlenW (lpString="%sh(Common Startup)%") returned 20 [0042.626] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x627740 | out: hHeap=0x5f0000) returned 1 [0042.626] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624ff8 [0042.626] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624ff8, Size=0x20) returned 0x604378 [0042.626] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604378, Size=0x40) returned 0x627740 [0042.626] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x627740, Size=0x80) returned 0x64ba90 [0042.626] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624ff8 [0042.626] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624ff8, Size=0x20) returned 0x604378 [0042.626] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x1fffc) returned 0x62ba68 [0042.626] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x64da78 [0042.626] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x65da80 [0042.626] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624ff8 [0042.626] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624ff8, Size=0x20) returned 0x6043a0 [0042.626] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6043a0, Size=0x40) returned 0x627740 [0042.626] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x627740, Size=0x80) returned 0x64bb18 [0042.626] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x64bb18, Size=0x100) returned 0x6271f0 [0042.626] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0042.626] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6271f0 | out: hHeap=0x5f0000) returned 1 [0042.626] ExpandEnvironmentStringsW (in: lpSrc="%comspec%", lpDst=0x64da78, nSize=0x7fff | out: lpDst="C:\\Windows\\system32\\cmd.exe") returned 0x1c [0042.626] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x65da80 | out: hHeap=0x5f0000) returned 1 [0042.626] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x64da78 | out: hHeap=0x5f0000) returned 1 [0042.626] CreatePipe (in: hReadPipe=0x18fd58, hWritePipe=0x18fd5c, lpPipeAttributes=0x18fd48, nSize=0x0 | out: hReadPipe=0x18fd58*=0xec, hWritePipe=0x18fd5c*=0xf0) returned 1 [0042.627] CreatePipe (in: hReadPipe=0x18fdc8, hWritePipe=0x18fdcc, lpPipeAttributes=0x18fd48, nSize=0x0 | out: hReadPipe=0x18fdc8*=0xf4, hWritePipe=0x18fdcc*=0xf8) returned 1 [0042.627] SetHandleInformation (hObject=0xf0, dwMask=0x1, dwFlags=0x0) returned 1 [0042.627] SetHandleInformation (hObject=0xf4, dwMask=0x1, dwFlags=0x0) returned 1 [0042.628] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18fd68*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xec, hStdOutput=0xf8, hStdError=0xf8), lpProcessInformation=0x18fdb8 | out: lpCommandLine=0x0, lpProcessInformation=0x18fdb8*(hProcess=0x100, hThread=0xfc, dwProcessId=0x5b8, dwThreadId=0x64)) returned 1 [0042.656] lstrlenA (lpString="mode con cp select=1251\nvssadmin delete shadows /all /quiet\nExit\n") returned 65 [0042.656] WriteFile (in: hFile=0xf0, lpBuffer=0x64ba90*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x18fd64, lpOverlapped=0x0 | out: lpBuffer=0x64ba90*, lpNumberOfBytesWritten=0x18fd64*=0x41, lpOverlapped=0x0) returned 1 [0042.656] CloseHandle (hObject=0x100) returned 1 [0042.656] CloseHandle (hObject=0xfc) returned 1 [0042.656] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x62ba68 | out: hHeap=0x5f0000) returned 1 [0042.656] lstrlenA (lpString="mode con cp select=1251\nvssadmin delete shadows /all /quiet\nExit\n") returned 65 [0042.656] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x64ba90 | out: hHeap=0x5f0000) returned 1 [0042.656] lstrlenW (lpString="%comspec%") returned 9 [0042.656] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x604378 | out: hHeap=0x5f0000) returned 1 [0042.656] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40a530, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xfc [0042.657] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x624ff8 [0042.657] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40a710, lpParameter=0x624ff8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x100 [0042.658] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x624e50 [0042.658] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4098e0, lpParameter=0x624e50, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x108 [0042.659] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x625010 [0042.659] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x625010, Size=0x20) returned 0x604378 [0042.659] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604378, Size=0x40) returned 0x627740 [0042.659] lstrlenW (lpString="ABCDEFGHIJKLMNOPQRSTUVWXYZ") returned 26 [0042.659] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xd0) returned 0x627268 [0042.659] GetLogicalDrives () returned 0x4 [0042.659] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10014) returned 0x62ba68 [0042.659] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x625010 [0042.659] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x625010, Size=0x20) returned 0x604378 [0042.659] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604378, Size=0x40) returned 0x6277d0 [0042.659] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6277d0, Size=0x80) returned 0x64ba90 [0042.659] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x64ba90, Size=0x100) returned 0x6297d8 [0042.659] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6297d8, Size=0x200) returned 0x6297d8 [0042.659] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6297d8, Size=0x400) returned 0x6297d8 [0042.659] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6297d8, Size=0x800) returned 0x629df0 [0042.659] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x629df0, Size=0x1000) returned 0x63ba88 [0042.659] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10000) returned 0x64da78 [0042.659] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x625010 [0042.659] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x6250e8 [0042.659] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x4) returned 0x624df8 [0042.659] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x625100 [0042.659] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x4) returned 0x624e08 [0042.660] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x625118 [0042.660] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624e08, Size=0x8) returned 0x624e08 [0042.660] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x625130 [0042.660] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624e08, Size=0x10) returned 0x624dc0 [0042.660] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x625148 [0042.660] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x625160 [0042.660] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624dc0, Size=0x20) returned 0x625918 [0042.660] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x625178 [0042.660] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x624e08 [0042.660] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xe) returned 0x625190 [0042.660] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xe) returned 0x6251a8 [0042.660] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x625918, Size=0x40) returned 0x625918 [0042.660] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xe) returned 0x6251c0 [0042.660] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xe) returned 0x6251d8 [0042.660] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xe) returned 0x6251f0 [0042.660] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xe) returned 0x625208 [0042.660] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x625220 [0042.660] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x625238 [0042.660] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x625960 [0042.660] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x625250 [0042.660] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x625918, Size=0x80) returned 0x6297d8 [0042.660] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x625268 [0042.660] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x625280 [0042.661] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x625298 [0042.661] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x6252b0 [0042.661] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629e08 [0042.661] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x629e20 [0042.661] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629e38 [0042.661] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x624dc0 [0042.661] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629e50 [0042.661] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629e68 [0042.661] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x629e80 [0042.661] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629e98 [0042.661] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x629eb0 [0042.661] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629ec8 [0042.661] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x629ee0 [0042.661] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629ef8 [0042.661] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6297d8, Size=0x100) returned 0x6297d8 [0042.661] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629f10 [0042.661] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629f28 [0042.661] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629f40 [0042.661] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x629f58 [0042.661] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629f70 [0042.661] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629f88 [0042.661] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x624dd0 [0042.661] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629fa0 [0042.661] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629fb8 [0042.661] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629fd0 [0042.661] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x6) returned 0x627100 [0042.661] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629fe8 [0042.661] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a000 [0042.662] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x627110 [0042.662] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a018 [0042.662] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a030 [0042.662] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x62a048 [0042.662] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a060 [0042.662] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a078 [0042.662] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a090 [0042.662] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xe) returned 0x62a0a8 [0042.662] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a0c0 [0042.662] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x62a0d8 [0042.662] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a0f0 [0042.662] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a108 [0042.662] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a120 [0042.662] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a138 [0042.662] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x625918 [0042.662] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a150 [0042.662] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a168 [0042.662] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a180 [0042.662] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a198 [0042.662] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6297d8, Size=0x200) returned 0x6297d8 [0042.662] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a1b0 [0042.662] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x625928 [0042.662] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a1c8 [0042.662] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a208 [0042.662] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a220 [0042.662] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a238 [0042.662] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a250 [0042.662] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a268 [0042.663] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a280 [0042.663] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a298 [0042.663] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a2b0 [0042.663] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x62a2c8 [0042.663] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x62a2e0 [0042.663] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a2f8 [0042.663] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a310 [0042.663] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x62a328 [0042.663] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x62a340 [0042.663] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a358 [0042.663] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x62a370 [0042.663] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x62a388 [0042.663] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a3a0 [0042.663] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a3b8 [0042.663] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a3d0 [0042.663] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x625938 [0042.663] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a3e8 [0042.663] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a400 [0042.663] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a418 [0042.663] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x625948 [0042.663] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a430 [0042.663] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x62a448 [0042.663] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a460 [0042.663] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a478 [0042.663] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a490 [0042.663] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a4a8 [0042.663] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a4c0 [0042.663] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a4d8 [0042.664] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x62a4f0 [0042.664] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x62a508 [0042.664] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a520 [0042.664] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a538 [0042.664] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a550 [0042.664] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x62a568 [0042.664] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a580 [0042.664] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a598 [0042.664] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a5b0 [0042.664] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a5c8 [0042.664] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a608 [0042.664] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a620 [0042.664] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a638 [0042.664] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x62a9f0 [0042.664] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x6) returned 0x62aa00 [0042.664] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a650 [0042.664] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a668 [0042.664] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a680 [0042.664] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a698 [0042.664] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a6b0 [0042.664] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x62a6c8 [0042.664] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a6e0 [0042.664] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a6f8 [0042.664] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a710 [0042.664] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a728 [0042.664] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x62a740 [0042.664] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a758 [0042.665] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a770 [0042.665] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6297d8, Size=0x400) returned 0x6297d8 [0042.665] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a788 [0042.665] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a7a0 [0042.665] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x62a7b8 [0042.665] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a7d0 [0042.665] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a7e8 [0042.665] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a800 [0042.665] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x62a818 [0042.665] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a830 [0042.665] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a848 [0042.665] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a860 [0042.665] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x63caa8 [0042.665] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a878 [0042.665] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x62a890 [0042.665] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a8a8 [0042.665] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a8c0 [0042.665] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a8d8 [0042.665] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a8f0 [0042.665] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xe) returned 0x62a908 [0042.665] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a920 [0042.665] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a938 [0042.665] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a950 [0042.665] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a968 [0042.665] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a980 [0042.665] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a998 [0042.665] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a9b0 [0042.665] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x62a9c8 [0042.666] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x63cab8 [0042.666] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cea8 [0042.666] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cec0 [0042.666] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63ced8 [0042.666] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cef0 [0042.666] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cf08 [0042.666] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cf20 [0042.666] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cf38 [0042.666] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cf50 [0042.666] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cf68 [0042.666] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xe) returned 0x63cf80 [0042.666] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cf98 [0042.666] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xe) returned 0x63cfb0 [0042.666] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cfc8 [0042.666] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cfe0 [0042.666] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cff8 [0042.666] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d010 [0042.666] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d028 [0042.666] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63d040 [0042.666] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d058 [0042.666] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d070 [0042.666] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d088 [0042.666] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d0a0 [0042.666] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d0b8 [0042.666] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d0d0 [0042.667] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d0e8 [0042.667] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d100 [0042.667] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d118 [0042.667] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d130 [0042.667] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d148 [0042.667] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d160 [0042.667] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d178 [0042.667] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d190 [0042.667] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d1a8 [0042.667] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d1c0 [0042.667] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d1d8 [0042.667] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x63d1f0 [0042.667] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x12) returned 0x626560 [0042.667] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d208 [0042.667] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d220 [0042.667] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d238 [0042.667] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d250 [0042.667] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d268 [0042.667] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d2a8 [0042.667] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d2c0 [0042.667] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d2d8 [0042.667] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d2f0 [0042.667] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d308 [0042.667] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d320 [0042.667] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d338 [0042.667] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d350 [0042.667] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d368 [0042.668] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d380 [0042.668] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d398 [0042.668] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d3b0 [0042.668] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d3c8 [0042.668] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d3e0 [0042.668] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d3f8 [0042.668] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63d410 [0042.668] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63d428 [0042.668] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63d440 [0042.668] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xe) returned 0x63d458 [0042.668] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63d470 [0042.668] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x63cac8 [0042.668] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d488 [0042.668] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x63cad8 [0042.668] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d4a0 [0042.668] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d4b8 [0042.668] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d4d0 [0042.668] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63d4e8 [0042.668] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63d500 [0042.668] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d518 [0042.668] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63d530 [0042.668] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d548 [0042.668] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d560 [0042.668] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63d578 [0042.668] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d590 [0042.668] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63d5a8 [0042.668] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63d5c0 [0042.669] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d5d8 [0042.669] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x63cae8 [0042.669] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d5f0 [0042.669] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63d608 [0042.669] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6297d8, Size=0x800) returned 0x63da90 [0042.669] lstrlenW (lpString=".1cd;.3ds;.3fr;.3g2;.3gp;.7z;.accda;.accdb;.accdc;.accde;.accdt;.accdw;.adb;.adp;.ai;.ai3;.ai4;.ai5;.ai6;.ai7;.ai8;.anim;.arw;.as;.asa;.asc;.ascx;.asm;.asmx;.asp;.aspx;.asr;.asx;.avi;.avs;.backup;.bak;.bay;.bd;.bin;.bmp;.bz2;.c;.cdr;.cer;.cf;.cfc;.cfm;.cfml;.cfu;.chm;.cin;.class;.clx;.config;.cpp;.cr2;.crt;.crw;.cs;.css;.csv;.cub;.dae;.dat;.db;.dbf;.dbx;.dc3;.dcm;.dcr;.der;.dib;.dic;.dif;.divx;.djvu;.dng;.doc;.docm;.docx;.dot;.dotm;.dotx;.dpx;.dqy;.dsn;.dt;.dtd;.dwg;.dwt;.dx;.dxf;.edml;.efd;.elf;.emf;.emz;.epf;.eps;.epsf;.epsp;.erf;.exr;.f4v;.fido;.flm;.flv;.frm;.fxg;.geo;.gif;.grs;.gz;.h;.hdr;.hpp;.hta;.htc;.htm;.html;.icb;.ics;.iff;.inc;.indd;.ini;.iqy;.j2c;.j2k;.java;.jp2;.jpc;.jpe;.jpeg;.jpf;.jpg;.jpx;.js;.jsf;.json;.jsp;.kdc;.kmz;.kwm;.lasso;.lbi;.lgf;.lgp;.log;.m1v;.m4a;.m4v;.max;.md;.mda;.mdb;.mde;.mdf;.mdw;.mef;.mft;.mfw;.mht;.mhtml;.mka;.mkidx;.mkv;.mos;.mov;.mp3;.mp4;.mpeg;.mpg;.mpv;.mrw;.msg;.mxl;.myd;.myi;.nef;.nrw;.obj;.odb;.odc;.odm;.odp;.ods;.oft;.one;.onepkg;.onetoc2;.opt;.oqy;.orf;.p12;.p7b;.p7c;.pam;.pbm;.pct;.pcx;.pdd;.pdf;.pdp;.pef;.pem;.pff;.pfm;.pfx;.pgm;.php;.php3;.php4;.php5;.phtml;.pict;.pl;.pls;.pm;.png;.pnm;.pot;.potm;.potx;.ppa;.ppam;.ppm;.pps;.ppsm;.ppt;.pptm;.pptx;.prn;.ps;.psb;.psd;.pst;.ptx;.pub;.pwm;.pxr;.py;.qt;.r3d;.raf;.rar;.raw;.rdf;.rgbe;.rle;.rqy;.rss;.rtf;.rw2;.rwl;.safe;.sct;.sdpx;.shtm;.shtml;.slk;.sln;.sql;.sr2;.srf;.srw;.ssi;.st;.stm;.svg;.svgz;.swf;.tab;.tar;.tbb;.tbi;.tbk;.tdi;.tga;.thmx;.tif;.tiff;.tld;.torrent;.tpl;.txt;.u3d;.udl;.uxdc;.vb;.vbs;.vcs;.vda;.vdr;.vdw;.vdx;.vrp;.vsd;.vss;.vst;.vsw;.vsx;.vtm;.vtml;.vtx;.wb2;.wav;.wbm;.wbmp;.wim;.wmf;.wml;.wmv;.wpd;.wps;.x3f;.xl;.xla;.xlam;.xlk;.xlm;.xls;.xlsb;.xlsm;.xlsx;.xlt;.xltm;.xltx;.xlw;.xml;.xps;.xsd;.xsf;.xsl;.xslt;.xsn;.xtp;.xtp2;.xyze;.xz;.zip;") returned 1776 [0042.669] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63ba88 | out: hHeap=0x5f0000) returned 1 [0042.669] lstrlenW (lpString="") returned 0 [0042.669] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63e3d0 | out: hHeap=0x5f0000) returned 1 [0042.669] lstrlenW (lpString=".bmd") returned 4 [0042.669] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624df8, Size=0x8) returned 0x624df8 [0042.669] lstrlenW (lpString=".bmd") returned 4 [0042.669] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63e3d0 | out: hHeap=0x5f0000) returned 1 [0042.669] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63e400, Size=0x20) returned 0x604378 [0042.669] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604378, Size=0x40) returned 0x6277d0 [0042.669] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6277d0, Size=0x80) returned 0x64ba90 [0042.669] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63cb58, Size=0x8) returned 0x63cb68 [0042.669] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63cb68, Size=0x10) returned 0x63e400 [0042.670] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63e400, Size=0x20) returned 0x604350 [0042.670] lstrlenW (lpString="boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys;") returned 48 [0042.670] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x64ba90 | out: hHeap=0x5f0000) returned 1 [0042.670] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63e430, Size=0x20) returned 0x625f70 [0042.670] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x625f70, Size=0x40) returned 0x6277d0 [0042.670] lstrlenW (lpString="FILES ENCRYPTED.txt") returned 19 [0042.670] lstrlenW (lpString="FILES ENCRYPTED.txt") returned 19 [0042.670] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6277d0 | out: hHeap=0x5f0000) returned 1 [0042.670] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63e430, Size=0x20) returned 0x625f70 [0042.670] lstrlenW (lpString="Info.hta") returned 8 [0042.670] lstrlenW (lpString="Info.hta") returned 8 [0042.670] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625f70 | out: hHeap=0x5f0000) returned 1 [0042.670] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x65da80, nSize=0x7fff | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\winhost.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\winhost.exe")) returned 0x31 [0042.670] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x65da80 | out: hHeap=0x5f0000) returned 1 [0042.670] lstrlenW (lpString="winhost.exe") returned 11 [0042.670] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604350, Size=0x40) returned 0x6277d0 [0042.670] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63e430, Size=0x20) returned 0x604350 [0042.671] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63e430, Size=0x20) returned 0x625f70 [0042.671] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x625f70, Size=0x40) returned 0x627818 [0042.671] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x627818, Size=0x80) returned 0x64ba90 [0042.671] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x64ba90, Size=0x100) returned 0x63ba88 [0042.671] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0042.671] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63ba88 | out: hHeap=0x5f0000) returned 1 [0042.671] ExpandEnvironmentStringsW (in: lpSrc="%windir%;", lpDst=0x65da80, nSize=0x8000 | out: lpDst="C:\\Windows;") returned 0xc [0042.671] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x66da88 | out: hHeap=0x5f0000) returned 1 [0042.671] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x65da80 | out: hHeap=0x5f0000) returned 1 [0042.671] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63cb68, Size=0x8) returned 0x63cb58 [0042.671] lstrlenW (lpString="%windir%;") returned 9 [0042.671] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x604350 | out: hHeap=0x5f0000) returned 1 [0042.671] lstrlenW (lpString="C:\\Windows;") returned 11 [0042.671] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x64da78 | out: hHeap=0x5f0000) returned 1 [0042.671] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63e448, Size=0x20) returned 0x604350 [0042.671] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604350, Size=0x40) returned 0x627818 [0042.671] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x627818, Size=0x80) returned 0x64ba90 [0042.671] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x64ba90, Size=0x100) returned 0x63ba88 [0042.672] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63cb98, Size=0x8) returned 0x63cba8 [0042.672] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63cba8, Size=0x10) returned 0x63e490 [0042.672] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63e490, Size=0x20) returned 0x604350 [0042.672] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63cb68, Size=0x8) returned 0x63cba8 [0042.672] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63cb78, Size=0x8) returned 0x63cb68 [0042.672] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63cb98, Size=0x8) returned 0x63cbb8 [0042.672] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63cbb8, Size=0x10) returned 0x63e538 [0042.672] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63e538, Size=0x20) returned 0x625f70 [0042.672] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63cba8, Size=0x10) returned 0x63e538 [0042.672] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63cb68, Size=0x10) returned 0x63e568 [0042.672] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63cba8, Size=0x8) returned 0x63cb98 [0042.672] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63cbc8, Size=0x8) returned 0x63cbd8 [0042.672] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63e538, Size=0x20) returned 0x625f20 [0042.672] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63e568, Size=0x20) returned 0x625e80 [0042.672] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63cbe8, Size=0x8) returned 0x63cbf8 [0042.672] lstrlenW (lpString="doc(.doc;.docx;.pdf;.xls;.xlsx;.ppt;)arc(.zip;.rar;.bz2;.7z;)dbf(.dbf;)1c8(.1cd;)jpg(.jpg;)") returned 91 [0042.672] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63ba88 | out: hHeap=0x5f0000) returned 1 [0042.672] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63e5e0, Size=0x20) returned 0x625f98 [0042.672] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%", lpDst=0x64da78, nSize=0x7fff | out: lpDst="C:") returned 0x3 [0042.672] lstrlenW (lpString="C:\\") returned 3 [0042.673] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x18fcac, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18fcac*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0042.673] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x64da78 | out: hHeap=0x5f0000) returned 1 [0042.673] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63cc28, Size=0x82) returned 0x63bff0 [0042.673] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63cc48, Size=0x100) returned 0x63c080 [0042.673] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63c188, Size=0x104) returned 0x63c2a8 [0042.673] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x64bba0, Size=0x100) returned 0x63c3b8 [0042.673] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63bff0, Size=0x104) returned 0x63c4c0 [0042.674] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63c080, Size=0x200) returned 0x63c5d0 [0042.675] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63cc38 | out: hHeap=0x5f0000) returned 1 [0042.675] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63c5d0 | out: hHeap=0x5f0000) returned 1 [0042.675] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63bc08 | out: hHeap=0x5f0000) returned 1 [0042.675] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x64bc28 | out: hHeap=0x5f0000) returned 1 [0042.675] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63e640 | out: hHeap=0x5f0000) returned 1 [0042.675] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x64bcb0 | out: hHeap=0x5f0000) returned 1 [0042.675] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63e670 | out: hHeap=0x5f0000) returned 1 [0042.675] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63c4c0 | out: hHeap=0x5f0000) returned 1 [0042.675] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63e658 | out: hHeap=0x5f0000) returned 1 [0042.675] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63c2a8 | out: hHeap=0x5f0000) returned 1 [0042.675] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63bc20 | out: hHeap=0x5f0000) returned 1 [0042.675] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63c218 | out: hHeap=0x5f0000) returned 1 [0042.675] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63bc38 | out: hHeap=0x5f0000) returned 1 [0042.675] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63e658, Size=0x20) returned 0x626150 [0043.175] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x626150, Size=0x40) returned 0x6278a8 [0044.413] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63bc98, Size=0x20) returned 0x626150 [0044.413] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x626150, Size=0x40) returned 0x6279c8 [0044.413] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6279c8, Size=0x80) returned 0x64ba90 [0044.413] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x64ba90, Size=0x100) returned 0x63c8a0 [0044.413] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63c8a0, Size=0x200) returned 0x6466e8 [0044.413] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6466e8, Size=0x400) returned 0x6466e8 [0044.413] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6466e8, Size=0x800) returned 0x6466e8 [0044.413] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6466e8, Size=0x1000) returned 0x6466e8 [0044.413] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63cc18, Size=0x8) returned 0x63cc28 [0044.413] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63cc28, Size=0x10) returned 0x63bc38 [0044.413] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63bc38, Size=0x20) returned 0x626150 [0044.413] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x626150, Size=0x40) returned 0x6279c8 [0044.414] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6279c8, Size=0x80) returned 0x64ba90 [0044.414] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x64ba90, Size=0x100) returned 0x67dac0 [0044.414] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x67dac0, Size=0x200) returned 0x67fea8 [0044.414] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x67fea8, Size=0x400) returned 0x6804b0 [0044.414] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6804b0, Size=0x800) returned 0x647ef0 [0044.414] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x648e18, Size=0x20) returned 0x626150 [0044.414] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x626150, Size=0x40) returned 0x6279c8 [0044.414] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6279c8, Size=0x80) returned 0x64ba90 [0044.414] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63cd98, Size=0x8) returned 0x63cda8 [0044.414] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63cda8, Size=0x10) returned 0x648e18 [0044.414] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x648e18, Size=0x20) returned 0x626088 [0044.414] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x648e48, Size=0x20) returned 0x626178 [0044.414] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x626178, Size=0x40) returned 0x6279c8 [0044.414] lstrlenW (lpString="FILES ENCRYPTED.txt") returned 19 [0044.414] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x648e48, Size=0x20) returned 0x626178 [0044.414] lstrlenW (lpString="Info.hta") returned 8 [0044.415] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x680cb8, nSize=0x7fff | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\winhost.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\winhost.exe")) returned 0x31 [0045.826] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x680cb8 | out: hHeap=0x5f0000) returned 1 [0045.826] lstrlenW (lpString="winhost.exe") returned 11 [0045.826] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x626088, Size=0x40) returned 0x627a58 [0045.826] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x646718, Size=0x20) returned 0x626088 [0045.828] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x646718, Size=0x20) returned 0x626268 [0045.828] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x626268, Size=0x40) returned 0x627aa0 [0045.828] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x627aa0, Size=0x80) returned 0x64ba90 [0045.828] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x64ba90, Size=0x100) returned 0x67dac0 [0045.828] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0045.828] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x67dac0 | out: hHeap=0x5f0000) returned 1 [0045.828] ExpandEnvironmentStringsW (in: lpSrc="%windir%;", lpDst=0x680cb8, nSize=0x8000 | out: lpDst="C:\\Windows;") returned 0xc [0045.828] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x690cc0 | out: hHeap=0x5f0000) returned 1 [0045.828] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x680cb8 | out: hHeap=0x5f0000) returned 1 [0045.828] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63cda8, Size=0x8) returned 0x63cd98 [0045.828] lstrlenW (lpString="%windir%;") returned 9 [0045.828] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x626088 | out: hHeap=0x5f0000) returned 1 [0045.828] lstrlenW (lpString="C:\\Windows;") returned 11 [0045.828] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x66daa0 | out: hHeap=0x5f0000) returned 1 [0045.829] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x646730, Size=0x20) returned 0x626088 [0045.829] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x626088, Size=0x40) returned 0x627aa0 [0045.829] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x627aa0, Size=0x80) returned 0x64ba90 [0045.829] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x64ba90, Size=0x100) returned 0x67dac0 [0045.829] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63cdd8, Size=0x8) returned 0x63cde8 [0045.829] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63cde8, Size=0x10) returned 0x646778 [0045.829] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x646778, Size=0x20) returned 0x626088 [0045.829] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63cda8, Size=0x8) returned 0x63cde8 [0045.829] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63cdb8, Size=0x8) returned 0x63cda8 [0045.829] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63cdd8, Size=0x8) returned 0x63cdf8 [0045.829] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63cdf8, Size=0x10) returned 0x646820 [0045.829] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x646820, Size=0x20) returned 0x626268 [0045.829] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63cde8, Size=0x10) returned 0x646820 [0045.829] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63cda8, Size=0x10) returned 0x646850 [0045.830] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63cde8, Size=0x8) returned 0x63cdd8 [0045.830] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63ce08, Size=0x8) returned 0x63ce18 [0045.830] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x646820, Size=0x20) returned 0x626290 [0045.830] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x646850, Size=0x20) returned 0x6262b8 [0045.830] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63ce28, Size=0x8) returned 0x63ce38 [0045.830] lstrlenW (lpString="doc(.doc;.docx;.pdf;.xls;.xlsx;.ppt;)arc(.zip;.rar;.bz2;.7z;)dbf(.dbf;)1c8(.1cd;)jpg(.jpg;)") returned 91 [0045.830] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x67dac0 | out: hHeap=0x5f0000) returned 1 [0045.830] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6468c8, Size=0x20) returned 0x626308 [0045.830] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%", lpDst=0x66daa0, nSize=0x7fff | out: lpDst="C:") returned 0x3 [0045.830] lstrlenW (lpString="C:\\") returned 3 [0045.830] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x18fcac, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18fcac*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0045.831] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x66daa0 | out: hHeap=0x5f0000) returned 1 [0045.831] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63ce68, Size=0x82) returned 0x680618 [0045.831] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63c690, Size=0x100) returned 0x67dac0 [0045.831] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6806a8, Size=0x104) returned 0x646ee8 [0045.831] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x64bcb0, Size=0x100) returned 0x67dbc8 [0045.831] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x680618, Size=0x104) returned 0x680618 [0045.832] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x67dac0, Size=0x200) returned 0x66dab8 [0045.833] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63ce78 | out: hHeap=0x5f0000) returned 1 [0045.833] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x66dab8 | out: hHeap=0x5f0000) returned 1 [0045.833] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x646970 | out: hHeap=0x5f0000) returned 1 [0045.833] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x64bc28 | out: hHeap=0x5f0000) returned 1 [0045.833] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x646928 | out: hHeap=0x5f0000) returned 1 [0045.833] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x64bba0 | out: hHeap=0x5f0000) returned 1 [0045.833] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x646958 | out: hHeap=0x5f0000) returned 1 [0045.833] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x680618 | out: hHeap=0x5f0000) returned 1 [0045.833] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x646940 | out: hHeap=0x5f0000) returned 1 [0045.833] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x646ee8 | out: hHeap=0x5f0000) returned 1 [0045.833] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x646988 | out: hHeap=0x5f0000) returned 1 [0045.833] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x680738 | out: hHeap=0x5f0000) returned 1 [0045.833] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6469a0 | out: hHeap=0x5f0000) returned 1 [0045.834] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6469a0, Size=0x20) returned 0x626330 [0045.834] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x626330, Size=0x40) returned 0x627aa0 [0045.834] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63ce48 | out: hHeap=0x5f0000) returned 1 [0045.834] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6468c8 | out: hHeap=0x5f0000) returned 1 [0045.834] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x680588 | out: hHeap=0x5f0000) returned 1 [0045.834] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6468f8 | out: hHeap=0x5f0000) returned 1 [0045.834] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x67dbc8 | out: hHeap=0x5f0000) returned 1 [0045.834] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6468e0 | out: hHeap=0x5f0000) returned 1 [0045.834] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63ce58 | out: hHeap=0x5f0000) returned 1 [0045.834] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x646910 | out: hHeap=0x5f0000) returned 1 [0045.834] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x680020 | out: hHeap=0x5f0000) returned 1 [0045.834] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x626860 | out: hHeap=0x5f0000) returned 1 [0045.834] lstrlenW (lpString="%systemdrive%") returned 13 [0045.834] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x626308 | out: hHeap=0x5f0000) returned 1 [0045.834] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x64ba90 | out: hHeap=0x5f0000) returned 1 [0045.834] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63ce28 | out: hHeap=0x5f0000) returned 1 [0045.834] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091f0, lpParameter=0x65da80, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x11c [0045.845] WaitForMultipleObjects (nCount=0x2, lpHandles=0x627268*=0x120, bWaitAll=1, dwMilliseconds=0xffffffff) Thread: id = 2 os_tid = 0xa0c Thread: id = 3 os_tid = 0xa18 Thread: id = 5 os_tid = 0x43c [0043.136] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x63e670 [0043.136] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63e670, Size=0x20) returned 0x625fc0 [0043.136] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x625fc0, Size=0x40) returned 0x627818 [0043.136] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x627818, Size=0x80) returned 0x64bcb0 [0043.136] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x64bcb0, Size=0x100) returned 0x63c200 [0043.136] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x63e670 [0043.136] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63e670, Size=0x20) returned 0x625fc0 [0043.136] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x625fc0, Size=0x40) returned 0x627818 [0043.136] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x627818, Size=0x80) returned 0x64bcb0 [0043.136] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x64bcb0, Size=0x100) returned 0x63c4c0 [0043.136] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63e670 [0043.136] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x4) returned 0x63cc48 [0043.136] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x63e640 [0043.136] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63cc48, Size=0x8) returned 0x63cc28 [0043.136] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x14) returned 0x626680 [0043.136] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63cc28, Size=0x10) returned 0x63bc08 [0043.136] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x18) returned 0x6266a0 [0043.136] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x1a) returned 0x625fc0 [0043.136] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63bc08, Size=0x20) returned 0x625fe8 [0043.136] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x1c) returned 0x626010 [0043.136] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x16) returned 0x6266c0 [0043.136] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x1a) returned 0x626038 [0043.136] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63bc08 [0043.136] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x4) returned 0x63cc28 [0043.137] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40) returned 0x627818 [0043.137] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63cc28, Size=0x8) returned 0x63cc48 [0043.137] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x3c) returned 0x627860 [0043.137] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63cc48, Size=0x10) returned 0x63bc20 [0043.137] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x14) returned 0x6266e0 [0043.137] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x18) returned 0x626700 [0043.137] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63bc20, Size=0x20) returned 0x626060 [0043.137] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x24) returned 0x627380 [0043.137] lstrlenW (lpString="1c8.exe;1cv77.exe;outlook.exe;postgres.exe;mysqld-nt.exe;mysqld.exe;sqlservr.exe;") returned 81 [0043.137] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63c200 | out: hHeap=0x5f0000) returned 1 [0043.137] lstrlenW (lpString="FirebirdGuardianDefaultInstance;FirebirdServerDefaultInstance;sqlwriter;mssqlserver;sqlserveradhelper;") returned 102 [0043.137] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63c4c0 | out: hHeap=0x5f0000) returned 1 [0043.137] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x626100 [0043.138] EnumServicesStatusExW (in: hSCManager=0x626100, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 0 [0043.138] GetLastError () returned 0xea [0043.138] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x11e4) returned 0x63f6d8 [0043.138] EnumServicesStatusExW (in: hSCManager=0x626100, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x63f6d8, cbBufSize=0x11e4, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x63f6d8, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 1 [0043.139] CloseServiceHandle (hSCObject=0x626100) returned 1 [0043.139] lstrlenW (lpString="Appinfo") returned 7 [0043.139] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0043.139] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0043.139] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0043.139] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0043.139] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0043.139] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0043.139] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0043.139] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0043.139] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0043.139] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0043.139] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0043.139] lstrlenW (lpString="AudioSrv") returned 8 [0043.139] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0043.139] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0043.139] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0043.139] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0043.139] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0043.139] lstrlenW (lpString="BFE") returned 3 [0043.139] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0043.140] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0043.140] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0043.140] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0043.140] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0043.140] lstrlenW (lpString="CryptSvc") returned 8 [0043.140] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0043.140] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0043.140] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0043.140] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0043.140] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0043.140] lstrlenW (lpString="CscService") returned 10 [0043.140] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0043.140] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0043.140] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0043.140] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0043.140] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0043.140] lstrlenW (lpString="DcomLaunch") returned 10 [0043.140] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0043.140] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0043.140] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0043.140] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0043.140] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0043.140] lstrlenW (lpString="Dhcp") returned 4 [0043.140] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0043.140] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0043.140] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0043.140] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0043.140] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0043.140] lstrlenW (lpString="Dnscache") returned 8 [0043.140] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0043.140] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0043.140] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0043.140] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0043.141] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0043.141] lstrlenW (lpString="DPS") returned 3 [0043.141] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0043.141] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0043.141] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0043.141] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0043.141] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0043.141] lstrlenW (lpString="eventlog") returned 8 [0043.141] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0043.141] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0043.141] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0043.141] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0043.141] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0043.141] lstrlenW (lpString="EventSystem") returned 11 [0043.141] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0043.141] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0043.141] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0043.141] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0043.141] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0043.141] lstrlenW (lpString="gpsvc") returned 5 [0043.141] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0043.141] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0043.141] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0043.141] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0043.141] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0043.141] lstrlenW (lpString="iphlpsvc") returned 8 [0043.141] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0043.141] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0043.141] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0043.141] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0043.141] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0043.141] lstrlenW (lpString="LanmanServer") returned 12 [0043.141] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0043.141] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0043.141] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0043.141] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0043.142] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0043.142] lstrlenW (lpString="LanmanWorkstation") returned 17 [0043.142] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0043.142] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0043.142] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0043.142] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0043.142] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0043.142] lstrlenW (lpString="lmhosts") returned 7 [0043.142] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0043.142] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0043.142] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0043.142] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0043.142] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0043.142] lstrlenW (lpString="MMCSS") returned 5 [0043.142] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0043.142] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0043.142] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0043.142] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0043.142] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0043.142] lstrlenW (lpString="MpsSvc") returned 6 [0043.142] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0043.142] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0043.142] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0043.142] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0043.142] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0043.142] lstrlenW (lpString="Netman") returned 6 [0043.142] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0043.142] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0043.142] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0043.142] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0043.142] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0043.142] lstrlenW (lpString="netprofm") returned 8 [0043.142] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0043.142] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0043.142] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0043.143] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0043.143] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0043.143] lstrlenW (lpString="NlaSvc") returned 6 [0043.143] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0043.143] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0043.143] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0043.143] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0043.143] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0043.143] lstrlenW (lpString="nsi") returned 3 [0043.143] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0043.143] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0043.143] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0043.143] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0043.143] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0043.143] lstrlenW (lpString="PcaSvc") returned 6 [0043.143] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0043.143] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0043.143] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0043.143] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0043.143] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0043.143] lstrlenW (lpString="PlugPlay") returned 8 [0043.143] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0043.143] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0043.143] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0043.143] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0043.143] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0043.144] lstrlenW (lpString="Power") returned 5 [0043.144] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0043.144] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0043.144] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0043.144] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0043.144] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0043.144] lstrlenW (lpString="ProfSvc") returned 7 [0043.144] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0043.144] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0043.144] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0043.144] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0043.144] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0043.144] lstrlenW (lpString="RpcEptMapper") returned 12 [0043.144] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0043.144] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0043.144] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0043.144] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0043.144] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0043.144] lstrlenW (lpString="RpcSs") returned 5 [0043.144] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0043.144] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0043.144] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0043.144] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0043.144] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0043.144] lstrlenW (lpString="SamSs") returned 5 [0043.144] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0043.145] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0043.145] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0043.145] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0043.145] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0043.145] lstrlenW (lpString="Schedule") returned 8 [0043.145] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0043.145] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0043.145] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0043.145] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0043.145] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0043.145] lstrlenW (lpString="SENS") returned 4 [0043.145] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0043.145] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0043.145] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0043.145] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0043.145] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0043.145] lstrlenW (lpString="ShellHWDetection") returned 16 [0043.145] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0043.145] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0043.145] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0043.145] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0043.145] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0043.145] lstrlenW (lpString="Spooler") returned 7 [0043.145] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0043.145] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0043.145] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0043.145] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0043.145] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0043.145] lstrlenW (lpString="SysMain") returned 7 [0043.145] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0043.145] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0043.145] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0043.145] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0043.145] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0043.145] lstrlenW (lpString="Themes") returned 6 [0043.145] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0043.145] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0043.146] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0043.146] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0043.146] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0043.146] lstrlenW (lpString="TrkWks") returned 6 [0043.146] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0043.146] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0043.146] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0043.146] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0043.146] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0043.146] lstrlenW (lpString="UxSms") returned 5 [0043.146] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0043.146] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0043.146] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0043.146] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0043.146] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0043.146] lstrlenW (lpString="WdiServiceHost") returned 14 [0043.146] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0043.146] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0043.146] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0043.146] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0043.146] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0043.146] lstrlenW (lpString="WdiSystemHost") returned 13 [0043.146] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0043.146] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0043.146] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0043.146] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0043.146] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0043.146] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0043.146] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0043.146] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0043.146] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0043.146] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0043.146] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0043.147] lstrlenW (lpString="Winmgmt") returned 7 [0043.147] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0043.147] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0043.147] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0043.147] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0043.147] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0043.147] lstrlenW (lpString="WPDBusEnum") returned 10 [0043.147] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0043.147] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0043.147] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0043.147] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0043.147] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0043.147] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63f6d8 | out: hHeap=0x5f0000) returned 1 [0043.147] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x114 [0043.150] Process32FirstW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0043.151] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0043.151] lstrlenW (lpString="System") returned 6 [0043.151] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0043.151] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0043.151] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0043.151] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0043.151] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0043.151] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0043.151] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0043.151] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0043.151] lstrlenW (lpString="smss.exe") returned 8 [0043.151] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0043.151] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0043.151] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0043.151] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0043.151] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0043.151] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0043.152] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0043.152] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0043.152] lstrlenW (lpString="csrss.exe") returned 9 [0043.152] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0043.152] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0043.152] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0043.152] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0043.152] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0043.152] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0043.152] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0043.152] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0043.152] lstrlenW (lpString="wininit.exe") returned 11 [0043.152] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0043.152] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0043.152] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0043.152] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0043.152] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0043.152] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0043.152] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0043.152] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0043.153] lstrlenW (lpString="csrss.exe") returned 9 [0043.153] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0043.153] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0043.153] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0043.153] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0043.153] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0043.153] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0043.153] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0043.153] lstrlenW (lpString="winlogon.exe") returned 12 [0043.153] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0043.154] lstrlenW (lpString="services.exe") returned 12 [0043.154] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0043.154] lstrlenW (lpString="lsass.exe") returned 9 [0043.154] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0043.154] lstrlenW (lpString="lsm.exe") returned 7 [0043.154] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.155] lstrlenW (lpString="svchost.exe") returned 11 [0043.155] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.155] lstrlenW (lpString="svchost.exe") returned 11 [0043.155] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.155] lstrlenW (lpString="svchost.exe") returned 11 [0043.155] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.156] lstrlenW (lpString="svchost.exe") returned 11 [0043.156] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.156] lstrlenW (lpString="svchost.exe") returned 11 [0043.156] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0043.156] lstrlenW (lpString="audiodg.exe") returned 11 [0043.156] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.157] lstrlenW (lpString="svchost.exe") returned 11 [0043.157] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.157] lstrlenW (lpString="svchost.exe") returned 11 [0043.157] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0043.157] lstrlenW (lpString="dwm.exe") returned 7 [0043.157] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0043.157] lstrlenW (lpString="explorer.exe") returned 12 [0043.158] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0043.158] lstrlenW (lpString="spoolsv.exe") returned 11 [0043.158] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.158] lstrlenW (lpString="svchost.exe") returned 11 [0043.158] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0043.158] lstrlenW (lpString="taskhost.exe") returned 12 [0043.158] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0043.159] lstrlenW (lpString="taskeng.exe") returned 11 [0043.159] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="encryption-billing-finishing.exe")) returned 1 [0043.159] lstrlenW (lpString="encryption-billing-finishing.exe") returned 32 [0043.159] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="le_inn_ending.exe")) returned 1 [0043.159] lstrlenW (lpString="le_inn_ending.exe") returned 17 [0043.159] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="hung-automobiles-concerning.exe")) returned 1 [0043.160] lstrlenW (lpString="hung-automobiles-concerning.exe") returned 31 [0043.160] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="celebrateowen.exe")) returned 1 [0043.160] lstrlenW (lpString="celebrateowen.exe") returned 17 [0043.160] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="highlights.exe")) returned 1 [0043.160] lstrlenW (lpString="highlights.exe") returned 14 [0043.160] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="armorthunder.exe")) returned 1 [0043.160] lstrlenW (lpString="armorthunder.exe") returned 16 [0043.160] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sci_vietnam_baby.exe")) returned 1 [0043.161] lstrlenW (lpString="sci_vietnam_baby.exe") returned 20 [0043.161] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="root.exe")) returned 1 [0043.161] lstrlenW (lpString="root.exe") returned 8 [0043.161] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="searches.exe")) returned 1 [0043.161] lstrlenW (lpString="searches.exe") returned 12 [0043.161] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gnu.exe")) returned 1 [0043.162] lstrlenW (lpString="gnu.exe") returned 7 [0043.162] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lat differences.exe")) returned 1 [0043.162] lstrlenW (lpString="lat differences.exe") returned 19 [0043.162] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="wetdelayed.exe")) returned 1 [0043.162] lstrlenW (lpString="wetdelayed.exe") returned 14 [0043.162] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scarydm.exe")) returned 1 [0043.162] lstrlenW (lpString="scarydm.exe") returned 11 [0043.162] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="relating coating ride.exe")) returned 1 [0043.163] lstrlenW (lpString="relating coating ride.exe") returned 25 [0043.163] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="compressed.exe")) returned 1 [0043.163] lstrlenW (lpString="compressed.exe") returned 14 [0043.163] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x600, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="installing.exe")) returned 1 [0043.163] lstrlenW (lpString="installing.exe") returned 14 [0043.163] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="jewellerycoloradokijiji.exe")) returned 1 [0043.164] lstrlenW (lpString="jewellerycoloradokijiji.exe") returned 27 [0043.164] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="promote_counted_attempted.exe")) returned 1 [0043.164] lstrlenW (lpString="promote_counted_attempted.exe") returned 29 [0043.164] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0043.164] lstrlenW (lpString="3dftp.exe") returned 9 [0043.164] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0043.164] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0043.164] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0043.165] lstrlenW (lpString="alftp.exe") returned 9 [0043.165] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0043.165] lstrlenW (lpString="barca.exe") returned 9 [0043.165] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x664, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0043.165] lstrlenW (lpString="bitkinex.exe") returned 12 [0043.165] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0043.166] lstrlenW (lpString="coreftp.exe") returned 11 [0043.166] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0043.166] lstrlenW (lpString="far.exe") returned 7 [0043.166] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0043.166] lstrlenW (lpString="filezilla.exe") returned 13 [0043.166] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0043.166] lstrlenW (lpString="flashfxp.exe") returned 12 [0043.166] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0043.167] lstrlenW (lpString="fling.exe") returned 9 [0043.167] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0043.167] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0043.167] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0043.167] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0043.167] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0043.168] lstrlenW (lpString="icq.exe") returned 7 [0043.168] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0043.168] lstrlenW (lpString="leechftp.exe") returned 12 [0043.168] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0043.168] lstrlenW (lpString="ncftp.exe") returned 9 [0043.168] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0043.168] lstrlenW (lpString="notepad.exe") returned 11 [0043.168] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0043.169] lstrlenW (lpString="operamail.exe") returned 13 [0043.169] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0043.169] lstrlenW (lpString="pidgin.exe") returned 10 [0043.169] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0043.170] lstrlenW (lpString="scriptftp.exe") returned 13 [0043.170] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0043.170] lstrlenW (lpString="skype.exe") returned 9 [0043.170] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0043.170] lstrlenW (lpString="smartftp.exe") returned 12 [0043.170] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0043.171] lstrlenW (lpString="thunderbird.exe") returned 15 [0043.171] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0043.171] lstrlenW (lpString="totalcmd.exe") returned 12 [0043.171] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0043.172] lstrlenW (lpString="trillian.exe") returned 12 [0043.172] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0043.172] lstrlenW (lpString="webdrive.exe") returned 12 [0043.172] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0043.172] lstrlenW (lpString="whatsapp.exe") returned 12 [0043.172] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0043.173] lstrlenW (lpString="winscp.exe") returned 10 [0043.173] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0043.173] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0043.173] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0043.174] lstrlenW (lpString="active-charge.exe") returned 17 [0043.174] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0043.174] lstrlenW (lpString="accupos.exe") returned 11 [0043.174] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0043.174] lstrlenW (lpString="afr38.exe") returned 9 [0043.174] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0044.415] lstrlenW (lpString="aldelo.exe") returned 10 [0044.415] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0044.415] lstrlenW (lpString="ccv_server.exe") returned 14 [0044.415] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0044.416] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0044.416] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0044.416] lstrlenW (lpString="creditservice.exe") returned 17 [0044.416] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0044.417] lstrlenW (lpString="edcsvr.exe") returned 10 [0044.417] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0044.417] lstrlenW (lpString="fpos.exe") returned 8 [0044.417] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0044.418] lstrlenW (lpString="isspos.exe") returned 10 [0044.418] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0044.418] lstrlenW (lpString="mxslipstream.exe") returned 16 [0044.418] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0044.419] lstrlenW (lpString="omnipos.exe") returned 11 [0044.419] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0044.419] lstrlenW (lpString="spcwin.exe") returned 10 [0044.419] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0044.419] lstrlenW (lpString="spgagentservice.exe") returned 19 [0044.419] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0044.420] lstrlenW (lpString="utg2.exe") returned 8 [0044.420] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="november_objects.exe")) returned 1 [0044.420] lstrlenW (lpString="november_objects.exe") returned 20 [0044.420] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vitamins_dealt.exe")) returned 1 [0044.421] lstrlenW (lpString="vitamins_dealt.exe") returned 18 [0044.421] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="peace_bite.exe")) returned 1 [0044.421] lstrlenW (lpString="peace_bite.exe") returned 14 [0044.421] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="earthquake forbidden waiting.exe")) returned 1 [0044.422] lstrlenW (lpString="earthquake forbidden waiting.exe") returned 32 [0044.422] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0044.422] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0044.422] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0044.422] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0044.423] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0044.424] lstrlenW (lpString="taskhost.exe") returned 12 [0044.424] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x918, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0044.424] lstrlenW (lpString="dllhost.exe") returned 11 [0044.424] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0044.424] lstrlenW (lpString="dllhost.exe") returned 11 [0044.424] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0044.425] lstrlenW (lpString="winhost.exe") returned 11 [0044.425] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa1c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0044.425] lstrlenW (lpString="cmd.exe") returned 7 [0044.425] Process32NextW (in: hSnapshot=0x114, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa1c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 0 [0044.426] CloseHandle (hObject=0x114) returned 1 [0044.426] Sleep (dwMilliseconds=0x1f4) [0045.880] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x63c690 [0045.882] EnumServicesStatusExW (in: hSCManager=0x63c690, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 0 [0045.883] GetLastError () returned 0xea [0045.884] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x11e4) returned 0x671aa0 [0045.884] EnumServicesStatusExW (in: hSCManager=0x63c690, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x671aa0, cbBufSize=0x11e4, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x671aa0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 1 [0045.885] CloseServiceHandle (hSCObject=0x63c690) returned 1 [0045.885] lstrlenW (lpString="Appinfo") returned 7 [0045.885] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0045.885] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0045.885] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0045.885] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0045.885] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0045.885] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0045.885] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0045.885] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0045.885] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0045.886] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0045.886] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0045.886] lstrlenW (lpString="AudioSrv") returned 8 [0045.886] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0045.886] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0045.886] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0045.886] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0045.886] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0045.886] lstrlenW (lpString="BFE") returned 3 [0045.886] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0045.886] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0045.886] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0045.886] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0045.886] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0045.886] lstrlenW (lpString="CryptSvc") returned 8 [0045.886] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0045.886] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0045.886] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0045.886] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0045.886] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0045.886] lstrlenW (lpString="CscService") returned 10 [0045.886] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0045.886] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0045.886] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0045.886] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0045.886] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0045.886] lstrlenW (lpString="DcomLaunch") returned 10 [0045.887] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0045.887] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0045.887] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0045.887] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0045.887] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0045.887] lstrlenW (lpString="Dhcp") returned 4 [0045.887] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0045.887] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0045.887] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0045.887] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0045.887] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0045.887] lstrlenW (lpString="Dnscache") returned 8 [0045.887] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0045.887] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0045.887] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0045.887] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0045.887] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0045.887] lstrlenW (lpString="DPS") returned 3 [0045.887] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0045.887] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0045.887] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0045.887] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0045.887] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0045.887] lstrlenW (lpString="eventlog") returned 8 [0045.887] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0045.887] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0045.887] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0045.887] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0045.888] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0045.888] lstrlenW (lpString="EventSystem") returned 11 [0045.888] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0045.888] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0045.888] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0045.888] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0045.888] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0045.888] lstrlenW (lpString="gpsvc") returned 5 [0045.888] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0045.888] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0045.888] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0045.888] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0045.888] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0045.888] lstrlenW (lpString="iphlpsvc") returned 8 [0045.888] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0045.888] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0045.888] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0045.888] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0045.888] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0045.888] lstrlenW (lpString="LanmanServer") returned 12 [0045.888] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0045.888] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0045.888] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0045.888] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0045.888] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0045.888] lstrlenW (lpString="LanmanWorkstation") returned 17 [0045.888] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0045.888] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0045.888] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0045.889] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0045.889] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0045.889] lstrlenW (lpString="lmhosts") returned 7 [0045.889] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0045.889] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0045.889] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0045.889] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0045.889] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0045.889] lstrlenW (lpString="MMCSS") returned 5 [0045.889] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0045.889] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0045.889] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0045.889] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0045.889] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0045.889] lstrlenW (lpString="MpsSvc") returned 6 [0045.889] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0045.889] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0045.889] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0045.890] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0045.890] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0045.890] lstrlenW (lpString="Netman") returned 6 [0045.890] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0045.890] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0045.890] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0045.890] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0045.890] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0045.890] lstrlenW (lpString="netprofm") returned 8 [0045.890] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0045.890] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0045.890] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0045.890] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0045.890] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0045.890] lstrlenW (lpString="NlaSvc") returned 6 [0045.890] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0045.890] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0045.890] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0045.890] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0045.890] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0045.890] lstrlenW (lpString="nsi") returned 3 [0045.890] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0045.890] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0045.890] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0045.890] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0045.890] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0045.890] lstrlenW (lpString="PcaSvc") returned 6 [0045.890] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0045.891] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0045.891] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0045.891] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0045.891] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0045.891] lstrlenW (lpString="PlugPlay") returned 8 [0045.891] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0045.891] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0045.891] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0045.891] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0045.891] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0045.891] lstrlenW (lpString="Power") returned 5 [0045.891] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0045.891] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0045.891] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0045.891] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0045.891] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0045.891] lstrlenW (lpString="ProfSvc") returned 7 [0045.891] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0045.891] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0045.891] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0045.891] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0045.891] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0045.891] lstrlenW (lpString="RpcEptMapper") returned 12 [0045.891] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0045.891] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0045.891] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0045.891] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0045.891] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0045.891] lstrlenW (lpString="RpcSs") returned 5 [0045.892] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0045.892] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0045.892] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0045.892] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0045.892] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0045.892] lstrlenW (lpString="SamSs") returned 5 [0045.892] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0045.892] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0045.892] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0045.892] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0045.892] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0045.892] lstrlenW (lpString="Schedule") returned 8 [0045.892] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0045.892] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0045.892] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0045.892] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0045.892] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0045.892] lstrlenW (lpString="SENS") returned 4 [0045.892] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0045.892] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0045.892] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0045.892] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0045.892] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0045.892] lstrlenW (lpString="ShellHWDetection") returned 16 [0045.892] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0045.892] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0045.892] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0045.892] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0045.893] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0045.893] lstrlenW (lpString="Spooler") returned 7 [0045.893] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0045.893] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0045.893] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0045.893] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0045.893] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0045.893] lstrlenW (lpString="SysMain") returned 7 [0045.893] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0045.893] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0045.893] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0045.893] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0045.893] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0045.893] lstrlenW (lpString="Themes") returned 6 [0045.893] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0045.893] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0045.893] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0045.893] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0045.893] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0045.893] lstrlenW (lpString="TrkWks") returned 6 [0045.893] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0045.893] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0045.893] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0045.893] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0045.893] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0045.893] lstrlenW (lpString="UxSms") returned 5 [0045.893] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0045.893] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0045.893] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0045.894] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0045.894] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0045.894] lstrlenW (lpString="WdiServiceHost") returned 14 [0045.894] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0045.894] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0045.894] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0045.894] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0045.894] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0045.894] lstrlenW (lpString="WdiSystemHost") returned 13 [0045.894] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0045.894] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0045.894] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0045.894] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0045.894] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0045.894] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0045.894] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0045.894] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0045.894] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0045.894] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0045.894] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0045.894] lstrlenW (lpString="Winmgmt") returned 7 [0045.894] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0045.894] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0045.894] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0045.894] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0045.894] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0045.894] lstrlenW (lpString="WPDBusEnum") returned 10 [0045.894] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0045.895] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0045.895] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0045.895] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0045.895] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0045.895] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x671aa0 | out: hHeap=0x5f0000) returned 1 [0045.895] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x13c [0045.904] Process32FirstW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0045.904] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0045.904] lstrlenW (lpString="System") returned 6 [0045.904] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0045.904] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0045.904] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0045.904] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0045.904] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0045.904] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0045.905] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0045.905] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0045.906] lstrlenW (lpString="smss.exe") returned 8 [0045.906] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0045.906] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0045.906] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0045.906] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0045.906] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0045.906] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0045.906] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0045.906] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0045.906] lstrlenW (lpString="csrss.exe") returned 9 [0045.906] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0045.906] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0045.906] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0045.907] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0045.907] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0045.907] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0045.907] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0045.907] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0045.907] lstrlenW (lpString="wininit.exe") returned 11 [0045.907] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0045.907] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0045.907] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0045.907] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0045.907] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0045.907] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0045.907] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0045.907] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0045.908] lstrlenW (lpString="csrss.exe") returned 9 [0045.908] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0045.908] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0045.908] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0045.908] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0045.908] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0045.908] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0045.908] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0045.908] lstrlenW (lpString="winlogon.exe") returned 12 [0045.909] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0045.909] lstrlenW (lpString="services.exe") returned 12 [0045.909] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0045.909] lstrlenW (lpString="lsass.exe") returned 9 [0045.909] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0045.910] lstrlenW (lpString="lsm.exe") returned 7 [0045.910] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.910] lstrlenW (lpString="svchost.exe") returned 11 [0045.910] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.910] lstrlenW (lpString="svchost.exe") returned 11 [0045.911] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.911] lstrlenW (lpString="svchost.exe") returned 11 [0045.911] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.911] lstrlenW (lpString="svchost.exe") returned 11 [0045.911] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.912] lstrlenW (lpString="svchost.exe") returned 11 [0045.912] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0045.912] lstrlenW (lpString="audiodg.exe") returned 11 [0045.912] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.912] lstrlenW (lpString="svchost.exe") returned 11 [0045.912] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.913] lstrlenW (lpString="svchost.exe") returned 11 [0045.913] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0045.913] lstrlenW (lpString="dwm.exe") returned 7 [0045.913] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0045.914] lstrlenW (lpString="explorer.exe") returned 12 [0045.914] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0045.914] lstrlenW (lpString="spoolsv.exe") returned 11 [0045.914] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.914] lstrlenW (lpString="svchost.exe") returned 11 [0045.914] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0045.915] lstrlenW (lpString="taskhost.exe") returned 12 [0045.915] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0045.915] lstrlenW (lpString="taskeng.exe") returned 11 [0045.915] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="encryption-billing-finishing.exe")) returned 1 [0045.916] lstrlenW (lpString="encryption-billing-finishing.exe") returned 32 [0045.916] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="le_inn_ending.exe")) returned 1 [0045.916] lstrlenW (lpString="le_inn_ending.exe") returned 17 [0045.916] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="hung-automobiles-concerning.exe")) returned 1 [0045.916] lstrlenW (lpString="hung-automobiles-concerning.exe") returned 31 [0045.916] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="celebrateowen.exe")) returned 1 [0045.917] lstrlenW (lpString="celebrateowen.exe") returned 17 [0045.917] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="highlights.exe")) returned 1 [0045.917] lstrlenW (lpString="highlights.exe") returned 14 [0045.917] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="armorthunder.exe")) returned 1 [0045.917] lstrlenW (lpString="armorthunder.exe") returned 16 [0045.918] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sci_vietnam_baby.exe")) returned 1 [0045.918] lstrlenW (lpString="sci_vietnam_baby.exe") returned 20 [0045.918] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="root.exe")) returned 1 [0045.918] lstrlenW (lpString="root.exe") returned 8 [0045.918] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="searches.exe")) returned 1 [0045.919] lstrlenW (lpString="searches.exe") returned 12 [0045.919] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gnu.exe")) returned 1 [0045.919] lstrlenW (lpString="gnu.exe") returned 7 [0045.919] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lat differences.exe")) returned 1 [0045.919] lstrlenW (lpString="lat differences.exe") returned 19 [0045.919] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="wetdelayed.exe")) returned 1 [0045.920] lstrlenW (lpString="wetdelayed.exe") returned 14 [0045.920] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scarydm.exe")) returned 1 [0045.941] lstrlenW (lpString="scarydm.exe") returned 11 [0045.941] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="relating coating ride.exe")) returned 1 [0045.941] lstrlenW (lpString="relating coating ride.exe") returned 25 [0045.941] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="compressed.exe")) returned 1 [0045.942] lstrlenW (lpString="compressed.exe") returned 14 [0045.942] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x600, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="installing.exe")) returned 1 [0045.942] lstrlenW (lpString="installing.exe") returned 14 [0045.942] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="jewellerycoloradokijiji.exe")) returned 1 [0045.943] lstrlenW (lpString="jewellerycoloradokijiji.exe") returned 27 [0045.943] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="promote_counted_attempted.exe")) returned 1 [0045.943] lstrlenW (lpString="promote_counted_attempted.exe") returned 29 [0045.943] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0045.943] lstrlenW (lpString="3dftp.exe") returned 9 [0045.943] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0045.944] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0045.944] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0045.944] lstrlenW (lpString="alftp.exe") returned 9 [0045.944] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0045.944] lstrlenW (lpString="barca.exe") returned 9 [0045.944] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x664, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0045.945] lstrlenW (lpString="bitkinex.exe") returned 12 [0045.945] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0045.945] lstrlenW (lpString="coreftp.exe") returned 11 [0045.945] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0045.946] lstrlenW (lpString="far.exe") returned 7 [0045.946] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0045.946] lstrlenW (lpString="filezilla.exe") returned 13 [0045.946] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0045.946] lstrlenW (lpString="flashfxp.exe") returned 12 [0045.946] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0045.947] lstrlenW (lpString="fling.exe") returned 9 [0045.947] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0045.947] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0045.947] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0045.947] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0045.947] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0045.948] lstrlenW (lpString="icq.exe") returned 7 [0045.948] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0045.948] lstrlenW (lpString="leechftp.exe") returned 12 [0045.948] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0045.948] lstrlenW (lpString="ncftp.exe") returned 9 [0045.949] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0045.949] lstrlenW (lpString="notepad.exe") returned 11 [0045.949] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0045.949] lstrlenW (lpString="operamail.exe") returned 13 [0045.949] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0045.950] lstrlenW (lpString="pidgin.exe") returned 10 [0045.950] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0045.950] lstrlenW (lpString="scriptftp.exe") returned 13 [0045.951] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0045.951] lstrlenW (lpString="skype.exe") returned 9 [0045.951] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0045.952] lstrlenW (lpString="smartftp.exe") returned 12 [0045.952] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0045.952] lstrlenW (lpString="thunderbird.exe") returned 15 [0045.952] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0045.953] lstrlenW (lpString="totalcmd.exe") returned 12 [0045.954] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0045.954] lstrlenW (lpString="trillian.exe") returned 12 [0045.954] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0045.955] lstrlenW (lpString="webdrive.exe") returned 12 [0045.955] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0045.955] lstrlenW (lpString="whatsapp.exe") returned 12 [0045.955] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0045.956] lstrlenW (lpString="winscp.exe") returned 10 [0045.956] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0045.956] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0045.956] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0045.957] lstrlenW (lpString="active-charge.exe") returned 17 [0045.957] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0045.957] lstrlenW (lpString="accupos.exe") returned 11 [0045.957] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0045.958] lstrlenW (lpString="afr38.exe") returned 9 [0045.958] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0045.958] lstrlenW (lpString="aldelo.exe") returned 10 [0045.958] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0045.959] lstrlenW (lpString="ccv_server.exe") returned 14 [0045.959] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0045.959] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0045.959] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0045.960] lstrlenW (lpString="creditservice.exe") returned 17 [0045.960] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0045.960] lstrlenW (lpString="edcsvr.exe") returned 10 [0045.960] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0045.960] lstrlenW (lpString="fpos.exe") returned 8 [0045.961] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0045.961] lstrlenW (lpString="isspos.exe") returned 10 [0045.961] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0045.961] lstrlenW (lpString="mxslipstream.exe") returned 16 [0045.961] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0045.962] lstrlenW (lpString="omnipos.exe") returned 11 [0045.962] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0045.962] lstrlenW (lpString="spcwin.exe") returned 10 [0045.962] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0045.963] lstrlenW (lpString="spgagentservice.exe") returned 19 [0045.963] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0045.963] lstrlenW (lpString="utg2.exe") returned 8 [0045.963] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="november_objects.exe")) returned 1 [0045.964] lstrlenW (lpString="november_objects.exe") returned 20 [0045.964] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vitamins_dealt.exe")) returned 1 [0045.964] lstrlenW (lpString="vitamins_dealt.exe") returned 18 [0045.964] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="peace_bite.exe")) returned 1 [0045.965] lstrlenW (lpString="peace_bite.exe") returned 14 [0045.965] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="earthquake forbidden waiting.exe")) returned 1 [0045.965] lstrlenW (lpString="earthquake forbidden waiting.exe") returned 32 [0045.965] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0045.965] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0045.966] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0045.966] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0045.966] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0045.966] lstrlenW (lpString="taskhost.exe") returned 12 [0045.966] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x918, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0045.967] lstrlenW (lpString="dllhost.exe") returned 11 [0045.967] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0045.968] lstrlenW (lpString="dllhost.exe") returned 11 [0045.968] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0045.968] lstrlenW (lpString="winhost.exe") returned 11 [0045.968] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa1c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0045.969] lstrlenW (lpString="cmd.exe") returned 7 [0045.969] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0045.969] lstrlenW (lpString="conhost.exe") returned 11 [0045.969] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5b8, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 1 [0045.969] lstrlenW (lpString="mode.com") returned 8 [0045.969] Process32NextW (in: hSnapshot=0x13c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5b8, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 0 [0045.970] CloseHandle (hObject=0x13c) returned 1 [0045.970] Sleep (dwMilliseconds=0x1f4) [0047.742] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x63c7a8 [0047.743] EnumServicesStatusExW (in: hSCManager=0x63c7a8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 0 [0047.744] GetLastError () returned 0xea [0047.744] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x11e4) returned 0x6e2cf8 [0047.744] EnumServicesStatusExW (in: hSCManager=0x63c7a8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6e2cf8, cbBufSize=0x11e4, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6e2cf8, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 1 [0047.745] CloseServiceHandle (hSCObject=0x63c7a8) returned 1 [0047.745] lstrlenW (lpString="Appinfo") returned 7 [0047.745] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0047.745] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0047.745] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0047.745] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0047.745] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0047.746] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0047.746] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0047.746] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0047.746] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0047.746] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0047.746] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0047.746] lstrlenW (lpString="AudioSrv") returned 8 [0047.746] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0047.746] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0047.746] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0047.746] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0047.746] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0047.746] lstrlenW (lpString="BFE") returned 3 [0047.746] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0047.746] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0047.746] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0047.746] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0047.747] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0047.747] lstrlenW (lpString="CryptSvc") returned 8 [0047.747] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0047.747] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0047.747] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0047.747] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0047.747] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0047.747] lstrlenW (lpString="CscService") returned 10 [0047.747] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0047.747] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0047.747] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0047.747] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0047.747] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0047.747] lstrlenW (lpString="DcomLaunch") returned 10 [0047.747] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0047.747] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0047.747] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0047.747] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0047.747] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0047.747] lstrlenW (lpString="Dhcp") returned 4 [0047.747] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0047.747] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0047.747] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0047.747] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0047.747] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0047.747] lstrlenW (lpString="Dnscache") returned 8 [0047.748] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0047.748] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0047.748] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0047.748] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0047.748] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0047.748] lstrlenW (lpString="DPS") returned 3 [0047.748] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0047.748] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0047.748] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0047.748] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0047.748] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0047.748] lstrlenW (lpString="eventlog") returned 8 [0047.748] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0047.748] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0047.748] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0047.748] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0047.748] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0047.748] lstrlenW (lpString="EventSystem") returned 11 [0047.748] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0047.748] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0047.748] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0047.748] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0047.748] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0047.748] lstrlenW (lpString="gpsvc") returned 5 [0047.748] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0047.748] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0047.748] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0047.749] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0047.749] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0047.749] lstrlenW (lpString="iphlpsvc") returned 8 [0047.749] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0047.749] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0047.749] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0047.749] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0047.749] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0047.749] lstrlenW (lpString="LanmanServer") returned 12 [0047.749] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0047.749] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0047.749] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0047.749] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0047.749] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0047.749] lstrlenW (lpString="LanmanWorkstation") returned 17 [0047.749] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0047.749] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0047.749] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0047.749] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0047.749] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0047.749] lstrlenW (lpString="lmhosts") returned 7 [0047.749] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0047.749] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0047.749] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0047.750] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0047.750] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0047.750] lstrlenW (lpString="MMCSS") returned 5 [0047.750] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0047.750] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0047.750] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0047.750] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0047.750] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0047.750] lstrlenW (lpString="MpsSvc") returned 6 [0047.750] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0047.750] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0047.750] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0047.750] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0047.750] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0047.750] lstrlenW (lpString="Netman") returned 6 [0047.750] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0047.750] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0047.750] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0047.750] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0047.750] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0047.750] lstrlenW (lpString="netprofm") returned 8 [0047.750] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0047.750] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0047.750] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0047.750] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0047.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0047.751] lstrlenW (lpString="NlaSvc") returned 6 [0047.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0047.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0047.751] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0047.751] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0047.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0047.751] lstrlenW (lpString="nsi") returned 3 [0047.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0047.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0047.751] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0047.751] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0047.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0047.751] lstrlenW (lpString="PcaSvc") returned 6 [0047.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0047.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0047.751] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0047.751] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0047.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0047.751] lstrlenW (lpString="PlugPlay") returned 8 [0047.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0047.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0047.751] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0047.751] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0047.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0047.751] lstrlenW (lpString="Power") returned 5 [0047.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0047.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0047.752] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0047.752] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0047.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0047.752] lstrlenW (lpString="ProfSvc") returned 7 [0047.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0047.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0047.752] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0047.752] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0047.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0047.752] lstrlenW (lpString="RpcEptMapper") returned 12 [0047.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0047.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0047.752] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0047.752] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0047.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0047.752] lstrlenW (lpString="RpcSs") returned 5 [0047.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0047.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0047.752] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0047.752] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0047.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0047.752] lstrlenW (lpString="SamSs") returned 5 [0047.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0047.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0047.753] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0047.753] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0047.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0047.753] lstrlenW (lpString="Schedule") returned 8 [0047.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0047.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0047.753] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0047.753] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0047.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0047.753] lstrlenW (lpString="SENS") returned 4 [0047.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0047.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0047.753] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0047.753] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0047.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0047.753] lstrlenW (lpString="ShellHWDetection") returned 16 [0047.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0047.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0047.753] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0047.753] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0047.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0047.753] lstrlenW (lpString="Spooler") returned 7 [0047.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0047.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0047.753] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0047.753] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0047.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0047.754] lstrlenW (lpString="SysMain") returned 7 [0047.754] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0047.754] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0047.754] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0047.754] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0047.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0047.754] lstrlenW (lpString="Themes") returned 6 [0047.754] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0047.754] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0047.754] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0047.754] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0047.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0047.754] lstrlenW (lpString="TrkWks") returned 6 [0047.754] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0047.754] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0047.754] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0047.754] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0047.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0047.754] lstrlenW (lpString="UxSms") returned 5 [0047.754] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0047.754] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0047.754] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0047.754] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0047.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0047.755] lstrlenW (lpString="WdiServiceHost") returned 14 [0047.755] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0047.755] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0047.755] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0047.755] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0047.755] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0047.755] lstrlenW (lpString="WdiSystemHost") returned 13 [0047.755] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0047.755] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0047.755] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0047.755] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0047.755] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0047.755] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0047.755] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0047.755] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0047.755] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0047.755] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0047.755] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0047.755] lstrlenW (lpString="Winmgmt") returned 7 [0047.755] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0047.755] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0047.755] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0047.755] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0047.755] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0047.755] lstrlenW (lpString="WPDBusEnum") returned 10 [0047.755] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0047.756] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0047.756] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0047.756] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0047.756] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0047.756] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6e2cf8 | out: hHeap=0x5f0000) returned 1 [0047.756] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x15c [0047.760] Process32FirstW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0047.761] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0047.761] lstrlenW (lpString="System") returned 6 [0047.761] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0047.762] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0047.762] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0047.762] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0047.762] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0047.762] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0047.762] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0047.762] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0047.762] lstrlenW (lpString="smss.exe") returned 8 [0047.762] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0047.762] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0047.762] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0047.762] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0047.762] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0047.762] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0047.762] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0047.762] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0047.763] lstrlenW (lpString="csrss.exe") returned 9 [0047.763] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0047.763] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0047.763] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0047.763] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0047.763] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0047.763] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0047.763] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0047.763] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0047.763] lstrlenW (lpString="wininit.exe") returned 11 [0047.763] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0047.763] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0047.763] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0047.764] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0047.764] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0047.764] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0047.764] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0047.764] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0047.764] lstrlenW (lpString="csrss.exe") returned 9 [0047.764] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0047.764] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0047.764] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0047.764] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0047.764] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0047.764] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0047.764] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0047.765] lstrlenW (lpString="winlogon.exe") returned 12 [0047.765] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0047.765] lstrlenW (lpString="services.exe") returned 12 [0047.765] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0047.766] lstrlenW (lpString="lsass.exe") returned 9 [0047.766] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0047.766] lstrlenW (lpString="lsm.exe") returned 7 [0047.766] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.766] lstrlenW (lpString="svchost.exe") returned 11 [0047.766] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.767] lstrlenW (lpString="svchost.exe") returned 11 [0047.767] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.767] lstrlenW (lpString="svchost.exe") returned 11 [0047.767] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.767] lstrlenW (lpString="svchost.exe") returned 11 [0047.767] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.768] lstrlenW (lpString="svchost.exe") returned 11 [0047.768] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0047.768] lstrlenW (lpString="audiodg.exe") returned 11 [0047.768] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.769] lstrlenW (lpString="svchost.exe") returned 11 [0047.769] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.769] lstrlenW (lpString="svchost.exe") returned 11 [0047.769] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0047.769] lstrlenW (lpString="dwm.exe") returned 7 [0047.769] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0047.770] lstrlenW (lpString="explorer.exe") returned 12 [0047.770] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0047.770] lstrlenW (lpString="spoolsv.exe") returned 11 [0047.770] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.771] lstrlenW (lpString="svchost.exe") returned 11 [0047.771] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0047.771] lstrlenW (lpString="taskhost.exe") returned 12 [0047.771] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0047.771] lstrlenW (lpString="taskeng.exe") returned 11 [0047.771] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="encryption-billing-finishing.exe")) returned 1 [0047.772] lstrlenW (lpString="encryption-billing-finishing.exe") returned 32 [0047.772] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="le_inn_ending.exe")) returned 1 [0047.772] lstrlenW (lpString="le_inn_ending.exe") returned 17 [0047.772] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="hung-automobiles-concerning.exe")) returned 1 [0047.773] lstrlenW (lpString="hung-automobiles-concerning.exe") returned 31 [0047.773] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="celebrateowen.exe")) returned 1 [0047.773] lstrlenW (lpString="celebrateowen.exe") returned 17 [0047.773] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="highlights.exe")) returned 1 [0047.773] lstrlenW (lpString="highlights.exe") returned 14 [0047.774] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="armorthunder.exe")) returned 1 [0047.774] lstrlenW (lpString="armorthunder.exe") returned 16 [0047.774] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sci_vietnam_baby.exe")) returned 1 [0047.774] lstrlenW (lpString="sci_vietnam_baby.exe") returned 20 [0047.774] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="root.exe")) returned 1 [0047.775] lstrlenW (lpString="root.exe") returned 8 [0047.775] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="searches.exe")) returned 1 [0047.775] lstrlenW (lpString="searches.exe") returned 12 [0047.775] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gnu.exe")) returned 1 [0047.776] lstrlenW (lpString="gnu.exe") returned 7 [0047.776] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lat differences.exe")) returned 1 [0047.776] lstrlenW (lpString="lat differences.exe") returned 19 [0047.776] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="wetdelayed.exe")) returned 1 [0047.776] lstrlenW (lpString="wetdelayed.exe") returned 14 [0047.786] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scarydm.exe")) returned 1 [0047.786] lstrlenW (lpString="scarydm.exe") returned 11 [0047.786] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="relating coating ride.exe")) returned 1 [0047.787] lstrlenW (lpString="relating coating ride.exe") returned 25 [0047.787] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="compressed.exe")) returned 1 [0047.787] lstrlenW (lpString="compressed.exe") returned 14 [0047.787] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x600, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="installing.exe")) returned 1 [0047.787] lstrlenW (lpString="installing.exe") returned 14 [0047.788] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="jewellerycoloradokijiji.exe")) returned 1 [0047.788] lstrlenW (lpString="jewellerycoloradokijiji.exe") returned 27 [0047.788] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="promote_counted_attempted.exe")) returned 1 [0047.788] lstrlenW (lpString="promote_counted_attempted.exe") returned 29 [0047.789] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0047.789] lstrlenW (lpString="3dftp.exe") returned 9 [0047.789] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0047.789] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0047.789] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0047.790] lstrlenW (lpString="alftp.exe") returned 9 [0047.790] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0047.790] lstrlenW (lpString="barca.exe") returned 9 [0047.790] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x664, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0047.792] lstrlenW (lpString="bitkinex.exe") returned 12 [0047.792] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0047.793] lstrlenW (lpString="coreftp.exe") returned 11 [0047.793] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0047.794] lstrlenW (lpString="far.exe") returned 7 [0047.794] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0047.794] lstrlenW (lpString="filezilla.exe") returned 13 [0047.794] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0047.795] lstrlenW (lpString="flashfxp.exe") returned 12 [0047.795] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0047.795] lstrlenW (lpString="fling.exe") returned 9 [0047.795] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0047.796] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0047.796] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0047.796] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0047.796] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0047.797] lstrlenW (lpString="icq.exe") returned 7 [0047.797] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0047.797] lstrlenW (lpString="leechftp.exe") returned 12 [0047.797] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0047.798] lstrlenW (lpString="ncftp.exe") returned 9 [0047.798] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0047.798] lstrlenW (lpString="notepad.exe") returned 11 [0047.798] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0047.799] lstrlenW (lpString="operamail.exe") returned 13 [0047.799] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0047.799] lstrlenW (lpString="pidgin.exe") returned 10 [0047.800] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0047.800] lstrlenW (lpString="scriptftp.exe") returned 13 [0047.800] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0047.801] lstrlenW (lpString="skype.exe") returned 9 [0047.801] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0047.801] lstrlenW (lpString="smartftp.exe") returned 12 [0047.802] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0047.802] lstrlenW (lpString="thunderbird.exe") returned 15 [0047.802] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0047.803] lstrlenW (lpString="totalcmd.exe") returned 12 [0047.803] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0047.803] lstrlenW (lpString="trillian.exe") returned 12 [0047.804] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0047.804] lstrlenW (lpString="webdrive.exe") returned 12 [0047.804] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0047.805] lstrlenW (lpString="whatsapp.exe") returned 12 [0047.805] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0047.805] lstrlenW (lpString="winscp.exe") returned 10 [0047.805] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0047.806] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0047.806] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0047.807] lstrlenW (lpString="active-charge.exe") returned 17 [0047.807] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0047.807] lstrlenW (lpString="accupos.exe") returned 11 [0047.807] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0047.809] lstrlenW (lpString="afr38.exe") returned 9 [0047.809] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0047.809] lstrlenW (lpString="aldelo.exe") returned 10 [0047.809] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0047.810] lstrlenW (lpString="ccv_server.exe") returned 14 [0047.810] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0047.811] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0047.811] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0047.811] lstrlenW (lpString="creditservice.exe") returned 17 [0047.811] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0047.812] lstrlenW (lpString="edcsvr.exe") returned 10 [0047.812] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0047.812] lstrlenW (lpString="fpos.exe") returned 8 [0047.812] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0047.813] lstrlenW (lpString="isspos.exe") returned 10 [0047.813] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0047.814] lstrlenW (lpString="mxslipstream.exe") returned 16 [0047.814] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0047.814] lstrlenW (lpString="omnipos.exe") returned 11 [0047.814] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0047.815] lstrlenW (lpString="spcwin.exe") returned 10 [0047.815] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0047.815] lstrlenW (lpString="spgagentservice.exe") returned 19 [0047.815] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0047.816] lstrlenW (lpString="utg2.exe") returned 8 [0047.816] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="november_objects.exe")) returned 1 [0047.816] lstrlenW (lpString="november_objects.exe") returned 20 [0047.816] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vitamins_dealt.exe")) returned 1 [0047.817] lstrlenW (lpString="vitamins_dealt.exe") returned 18 [0047.817] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="peace_bite.exe")) returned 1 [0047.817] lstrlenW (lpString="peace_bite.exe") returned 14 [0047.817] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="earthquake forbidden waiting.exe")) returned 1 [0047.818] lstrlenW (lpString="earthquake forbidden waiting.exe") returned 32 [0047.818] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0047.818] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0047.818] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0047.819] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0047.819] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0047.819] lstrlenW (lpString="taskhost.exe") returned 12 [0047.819] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x918, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0047.819] lstrlenW (lpString="dllhost.exe") returned 11 [0047.820] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0047.820] lstrlenW (lpString="dllhost.exe") returned 11 [0047.820] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0047.820] lstrlenW (lpString="winhost.exe") returned 11 [0047.820] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa1c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0047.821] lstrlenW (lpString="cmd.exe") returned 7 [0047.821] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0047.821] lstrlenW (lpString="conhost.exe") returned 11 [0047.821] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5b8, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0047.822] lstrlenW (lpString="vssadmin.exe") returned 12 [0047.822] Process32NextW (in: hSnapshot=0x15c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5b8, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0047.822] CloseHandle (hObject=0x15c) returned 1 [0047.822] Sleep (dwMilliseconds=0x1f4) [0048.607] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x63c9d8 [0048.607] EnumServicesStatusExW (in: hSCManager=0x63c9d8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 0 [0048.608] GetLastError () returned 0xea [0048.608] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x123e) returned 0x673ab0 [0048.608] EnumServicesStatusExW (in: hSCManager=0x63c9d8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x673ab0, cbBufSize=0x123e, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x673ab0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 1 [0048.608] CloseServiceHandle (hSCObject=0x63c9d8) returned 1 [0048.609] lstrlenW (lpString="Appinfo") returned 7 [0048.609] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0048.609] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0048.609] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0048.609] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0048.609] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0048.609] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0048.609] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0048.609] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0048.609] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0048.609] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0048.609] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0048.609] lstrlenW (lpString="AudioSrv") returned 8 [0048.609] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0048.609] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0048.609] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0048.609] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0048.609] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0048.609] lstrlenW (lpString="BFE") returned 3 [0048.609] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0048.609] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0048.609] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0048.609] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0048.610] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0048.610] lstrlenW (lpString="CryptSvc") returned 8 [0048.610] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0048.610] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0048.610] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0048.610] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0048.610] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0048.610] lstrlenW (lpString="CscService") returned 10 [0048.610] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0048.610] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0048.610] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0048.610] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0048.610] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0048.610] lstrlenW (lpString="DcomLaunch") returned 10 [0048.610] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0048.610] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0048.610] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0048.610] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0048.610] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0048.610] lstrlenW (lpString="Dhcp") returned 4 [0048.610] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0048.610] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0048.610] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0048.610] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0048.610] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0048.611] lstrlenW (lpString="Dnscache") returned 8 [0048.611] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0048.611] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0048.611] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0048.611] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0048.611] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0048.611] lstrlenW (lpString="DPS") returned 3 [0048.611] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0048.611] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0048.611] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0048.611] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0048.611] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0048.611] lstrlenW (lpString="eventlog") returned 8 [0048.611] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0048.611] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0048.611] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0048.611] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0048.611] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0048.611] lstrlenW (lpString="EventSystem") returned 11 [0048.611] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0048.611] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0048.611] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0048.611] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0048.611] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0048.611] lstrlenW (lpString="gpsvc") returned 5 [0048.612] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0048.612] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0048.612] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0048.612] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0048.612] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0048.612] lstrlenW (lpString="iphlpsvc") returned 8 [0048.612] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0048.612] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0048.612] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0048.612] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0048.612] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0048.612] lstrlenW (lpString="LanmanServer") returned 12 [0048.612] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0048.612] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0048.612] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0048.612] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0048.612] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0048.612] lstrlenW (lpString="LanmanWorkstation") returned 17 [0048.612] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0048.612] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0048.612] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0048.612] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0048.612] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0048.612] lstrlenW (lpString="lmhosts") returned 7 [0048.612] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0048.613] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0048.613] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0048.613] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0048.613] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0048.613] lstrlenW (lpString="MMCSS") returned 5 [0048.613] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0048.613] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0048.613] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0048.613] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0048.613] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0048.613] lstrlenW (lpString="MpsSvc") returned 6 [0048.613] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0048.613] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0048.613] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0048.613] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0048.613] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0048.613] lstrlenW (lpString="Netman") returned 6 [0048.613] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0048.613] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0048.613] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0048.613] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0048.613] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0048.613] lstrlenW (lpString="netprofm") returned 8 [0048.613] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0048.613] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0048.613] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0048.614] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0048.614] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0048.614] lstrlenW (lpString="NlaSvc") returned 6 [0048.614] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0048.614] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0048.614] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0048.614] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0048.614] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0048.614] lstrlenW (lpString="nsi") returned 3 [0048.614] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0048.614] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0048.614] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0048.614] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0048.614] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0048.614] lstrlenW (lpString="PcaSvc") returned 6 [0048.614] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0048.614] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0048.614] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0048.614] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0048.614] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0048.614] lstrlenW (lpString="PlugPlay") returned 8 [0048.614] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0048.614] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0048.614] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0048.614] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0048.614] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0048.615] lstrlenW (lpString="Power") returned 5 [0048.615] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0048.615] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0048.615] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0048.615] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0048.615] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0048.615] lstrlenW (lpString="ProfSvc") returned 7 [0048.615] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0048.615] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0048.615] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0048.615] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0048.615] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0048.615] lstrlenW (lpString="RpcEptMapper") returned 12 [0048.615] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0048.615] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0048.615] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0048.615] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0048.615] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0048.615] lstrlenW (lpString="RpcSs") returned 5 [0048.615] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0048.615] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0048.615] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0048.615] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0048.615] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0048.615] lstrlenW (lpString="SamSs") returned 5 [0048.615] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0048.615] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0048.616] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0048.616] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0048.616] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0048.616] lstrlenW (lpString="Schedule") returned 8 [0048.616] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0048.616] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0048.616] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0048.616] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0048.616] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0048.616] lstrlenW (lpString="SENS") returned 4 [0048.616] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0048.616] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0048.616] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0048.616] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0048.616] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0048.616] lstrlenW (lpString="ShellHWDetection") returned 16 [0048.616] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0048.616] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0048.616] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0048.616] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0048.616] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0048.616] lstrlenW (lpString="Spooler") returned 7 [0048.616] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0048.616] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0048.616] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0048.616] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0048.617] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0048.617] lstrlenW (lpString="SysMain") returned 7 [0048.617] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0048.617] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0048.617] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0048.617] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0048.617] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0048.617] lstrlenW (lpString="Themes") returned 6 [0048.617] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0048.617] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0048.617] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0048.617] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0048.617] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0048.617] lstrlenW (lpString="TrkWks") returned 6 [0048.617] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0048.617] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0048.617] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0048.617] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0048.617] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0048.617] lstrlenW (lpString="UxSms") returned 5 [0048.617] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0048.617] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0048.617] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0048.617] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0048.617] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0048.617] lstrlenW (lpString="VSS") returned 3 [0048.617] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0048.618] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0048.618] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0048.618] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0048.618] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0048.618] lstrlenW (lpString="WdiServiceHost") returned 14 [0048.618] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0048.618] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0048.618] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0048.618] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0048.618] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0048.618] lstrlenW (lpString="WdiSystemHost") returned 13 [0048.618] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0048.618] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0048.618] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0048.618] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0048.618] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0048.618] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0048.618] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0048.618] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0048.618] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0048.618] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0048.618] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0048.618] lstrlenW (lpString="Winmgmt") returned 7 [0048.618] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0048.618] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0048.618] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0048.618] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0048.618] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0048.618] lstrlenW (lpString="WPDBusEnum") returned 10 [0048.618] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0048.618] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0048.618] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0048.618] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0048.618] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0048.619] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x673ab0 | out: hHeap=0x5f0000) returned 1 [0048.619] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1a4 [0048.897] Process32FirstW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0048.898] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0048.898] lstrlenW (lpString="System") returned 6 [0048.898] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0048.898] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0048.898] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0048.898] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0048.898] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0048.898] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0048.898] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0048.898] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0048.904] lstrlenW (lpString="smss.exe") returned 8 [0048.904] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0048.904] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0048.904] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0048.904] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0048.904] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0048.905] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0048.905] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0048.905] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0048.905] lstrlenW (lpString="csrss.exe") returned 9 [0048.905] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0048.905] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0048.905] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0048.905] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0048.905] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0048.905] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0048.905] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0048.905] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0048.906] lstrlenW (lpString="wininit.exe") returned 11 [0048.906] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0048.906] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0048.906] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0048.906] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0048.906] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0048.906] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0048.906] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0048.906] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0048.906] lstrlenW (lpString="csrss.exe") returned 9 [0048.906] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0048.906] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0048.907] lstrlenW (lpString="winlogon.exe") returned 12 [0048.907] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0048.907] lstrlenW (lpString="services.exe") returned 12 [0048.907] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0048.907] lstrlenW (lpString="lsass.exe") returned 9 [0048.907] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0048.908] lstrlenW (lpString="lsm.exe") returned 7 [0048.908] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.908] lstrlenW (lpString="svchost.exe") returned 11 [0048.908] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.908] lstrlenW (lpString="svchost.exe") returned 11 [0048.908] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.909] lstrlenW (lpString="svchost.exe") returned 11 [0048.909] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.909] lstrlenW (lpString="svchost.exe") returned 11 [0048.909] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.909] lstrlenW (lpString="svchost.exe") returned 11 [0048.909] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0048.909] lstrlenW (lpString="audiodg.exe") returned 11 [0048.910] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.910] lstrlenW (lpString="svchost.exe") returned 11 [0048.910] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.910] lstrlenW (lpString="svchost.exe") returned 11 [0048.910] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0048.910] lstrlenW (lpString="dwm.exe") returned 7 [0048.910] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0048.911] lstrlenW (lpString="explorer.exe") returned 12 [0048.911] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0048.911] lstrlenW (lpString="spoolsv.exe") returned 11 [0048.911] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.911] lstrlenW (lpString="svchost.exe") returned 11 [0048.911] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0048.912] lstrlenW (lpString="taskhost.exe") returned 12 [0048.912] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0048.912] lstrlenW (lpString="taskeng.exe") returned 11 [0048.912] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="encryption-billing-finishing.exe")) returned 1 [0048.912] lstrlenW (lpString="encryption-billing-finishing.exe") returned 32 [0048.912] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="le_inn_ending.exe")) returned 1 [0048.913] lstrlenW (lpString="le_inn_ending.exe") returned 17 [0048.913] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="hung-automobiles-concerning.exe")) returned 1 [0048.913] lstrlenW (lpString="hung-automobiles-concerning.exe") returned 31 [0048.913] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="celebrateowen.exe")) returned 1 [0048.913] lstrlenW (lpString="celebrateowen.exe") returned 17 [0048.913] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="highlights.exe")) returned 1 [0048.913] lstrlenW (lpString="highlights.exe") returned 14 [0048.913] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="armorthunder.exe")) returned 1 [0048.914] lstrlenW (lpString="armorthunder.exe") returned 16 [0048.914] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sci_vietnam_baby.exe")) returned 1 [0048.914] lstrlenW (lpString="sci_vietnam_baby.exe") returned 20 [0048.914] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="root.exe")) returned 1 [0048.914] lstrlenW (lpString="root.exe") returned 8 [0048.914] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="searches.exe")) returned 1 [0048.915] lstrlenW (lpString="searches.exe") returned 12 [0048.915] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gnu.exe")) returned 1 [0048.915] lstrlenW (lpString="gnu.exe") returned 7 [0048.915] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lat differences.exe")) returned 1 [0048.915] lstrlenW (lpString="lat differences.exe") returned 19 [0048.916] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="wetdelayed.exe")) returned 1 [0048.916] lstrlenW (lpString="wetdelayed.exe") returned 14 [0048.916] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scarydm.exe")) returned 1 [0048.916] lstrlenW (lpString="scarydm.exe") returned 11 [0048.916] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="relating coating ride.exe")) returned 1 [0048.916] lstrlenW (lpString="relating coating ride.exe") returned 25 [0048.916] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="compressed.exe")) returned 1 [0048.917] lstrlenW (lpString="compressed.exe") returned 14 [0048.917] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x600, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="installing.exe")) returned 1 [0048.917] lstrlenW (lpString="installing.exe") returned 14 [0048.917] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="jewellerycoloradokijiji.exe")) returned 1 [0048.917] lstrlenW (lpString="jewellerycoloradokijiji.exe") returned 27 [0048.917] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="promote_counted_attempted.exe")) returned 1 [0048.918] lstrlenW (lpString="promote_counted_attempted.exe") returned 29 [0048.918] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0048.918] lstrlenW (lpString="3dftp.exe") returned 9 [0048.918] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0048.918] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0048.918] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0048.918] lstrlenW (lpString="alftp.exe") returned 9 [0048.919] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0048.919] lstrlenW (lpString="barca.exe") returned 9 [0048.919] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x664, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0048.919] lstrlenW (lpString="bitkinex.exe") returned 12 [0048.919] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0048.919] lstrlenW (lpString="coreftp.exe") returned 11 [0048.919] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0048.920] lstrlenW (lpString="far.exe") returned 7 [0048.920] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0048.920] lstrlenW (lpString="filezilla.exe") returned 13 [0048.920] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0048.920] lstrlenW (lpString="flashfxp.exe") returned 12 [0048.920] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0048.921] lstrlenW (lpString="fling.exe") returned 9 [0048.921] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0048.921] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0048.921] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0048.921] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0048.921] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0048.921] lstrlenW (lpString="icq.exe") returned 7 [0048.921] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0048.922] lstrlenW (lpString="leechftp.exe") returned 12 [0048.922] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0048.922] lstrlenW (lpString="ncftp.exe") returned 9 [0048.922] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0048.922] lstrlenW (lpString="notepad.exe") returned 11 [0048.922] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0048.923] lstrlenW (lpString="operamail.exe") returned 13 [0048.923] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0048.923] lstrlenW (lpString="pidgin.exe") returned 10 [0048.923] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0048.924] lstrlenW (lpString="scriptftp.exe") returned 13 [0048.924] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0048.924] lstrlenW (lpString="skype.exe") returned 9 [0048.924] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0048.924] lstrlenW (lpString="smartftp.exe") returned 12 [0048.925] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0048.925] lstrlenW (lpString="thunderbird.exe") returned 15 [0048.925] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0048.925] lstrlenW (lpString="totalcmd.exe") returned 12 [0048.925] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0048.926] lstrlenW (lpString="trillian.exe") returned 12 [0048.926] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0048.926] lstrlenW (lpString="webdrive.exe") returned 12 [0048.926] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0048.927] lstrlenW (lpString="whatsapp.exe") returned 12 [0048.927] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0048.927] lstrlenW (lpString="winscp.exe") returned 10 [0048.927] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0048.927] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0048.927] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0048.928] lstrlenW (lpString="active-charge.exe") returned 17 [0048.928] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0048.928] lstrlenW (lpString="accupos.exe") returned 11 [0048.928] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0048.929] lstrlenW (lpString="afr38.exe") returned 9 [0048.929] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0048.929] lstrlenW (lpString="aldelo.exe") returned 10 [0048.929] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0048.929] lstrlenW (lpString="ccv_server.exe") returned 14 [0048.929] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0048.930] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0048.930] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0048.930] lstrlenW (lpString="creditservice.exe") returned 17 [0048.930] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0048.930] lstrlenW (lpString="edcsvr.exe") returned 10 [0048.931] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0048.986] lstrlenW (lpString="fpos.exe") returned 8 [0048.986] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0048.986] lstrlenW (lpString="isspos.exe") returned 10 [0048.986] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0048.986] lstrlenW (lpString="mxslipstream.exe") returned 16 [0048.986] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0048.987] lstrlenW (lpString="omnipos.exe") returned 11 [0048.987] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0048.987] lstrlenW (lpString="spcwin.exe") returned 10 [0048.987] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0048.987] lstrlenW (lpString="spgagentservice.exe") returned 19 [0048.987] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0048.988] lstrlenW (lpString="utg2.exe") returned 8 [0048.988] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="november_objects.exe")) returned 1 [0048.988] lstrlenW (lpString="november_objects.exe") returned 20 [0048.988] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vitamins_dealt.exe")) returned 1 [0048.988] lstrlenW (lpString="vitamins_dealt.exe") returned 18 [0048.988] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="peace_bite.exe")) returned 1 [0048.989] lstrlenW (lpString="peace_bite.exe") returned 14 [0048.989] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="earthquake forbidden waiting.exe")) returned 1 [0048.989] lstrlenW (lpString="earthquake forbidden waiting.exe") returned 32 [0048.989] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0048.989] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0048.989] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0048.990] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0048.990] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0048.990] lstrlenW (lpString="taskhost.exe") returned 12 [0048.990] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x918, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0048.990] lstrlenW (lpString="dllhost.exe") returned 11 [0048.990] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0048.991] lstrlenW (lpString="dllhost.exe") returned 11 [0048.991] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0048.991] lstrlenW (lpString="winhost.exe") returned 11 [0048.991] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa1c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0048.991] lstrlenW (lpString="cmd.exe") returned 7 [0048.991] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0048.992] lstrlenW (lpString="conhost.exe") returned 11 [0048.992] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x5b8, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0048.992] lstrlenW (lpString="vssadmin.exe") returned 12 [0048.992] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0048.992] lstrlenW (lpString="VSSVC.exe") returned 9 [0048.992] Process32NextW (in: hSnapshot=0x1a4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 0 [0048.992] CloseHandle (hObject=0x1a4) returned 1 [0048.993] Sleep (dwMilliseconds=0x1f4) [0049.883] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x674f10 [0049.884] EnumServicesStatusExW (in: hSCManager=0x674f10, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 0 [0049.885] GetLastError () returned 0xea [0049.885] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x12c6) returned 0x648ef8 [0049.885] EnumServicesStatusExW (in: hSCManager=0x674f10, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x648ef8, cbBufSize=0x12c6, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x648ef8, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 1 [0049.886] CloseServiceHandle (hSCObject=0x674f10) returned 1 [0049.886] lstrlenW (lpString="Appinfo") returned 7 [0049.886] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0049.886] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0049.886] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0049.886] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0049.886] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0049.886] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0049.886] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0049.886] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0049.886] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0049.886] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0049.886] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0049.886] lstrlenW (lpString="AudioSrv") returned 8 [0049.886] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0049.886] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0049.886] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0049.886] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0049.886] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0049.886] lstrlenW (lpString="BFE") returned 3 [0049.886] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0049.887] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0049.887] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0049.887] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0049.887] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0049.887] lstrlenW (lpString="CryptSvc") returned 8 [0049.887] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0049.887] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0049.887] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0049.887] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0049.887] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0049.887] lstrlenW (lpString="CscService") returned 10 [0049.887] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0049.887] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0049.887] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0049.887] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0049.887] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0049.887] lstrlenW (lpString="DcomLaunch") returned 10 [0049.887] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0049.887] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0049.887] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0049.887] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0049.887] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0049.887] lstrlenW (lpString="Dhcp") returned 4 [0049.887] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0049.887] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0049.887] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0049.887] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0049.887] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0049.887] lstrlenW (lpString="Dnscache") returned 8 [0049.887] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0049.887] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0049.887] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0049.887] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0049.887] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0049.887] lstrlenW (lpString="DPS") returned 3 [0049.887] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0049.888] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0049.888] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0049.888] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0049.888] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0049.888] lstrlenW (lpString="eventlog") returned 8 [0049.888] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0049.888] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0049.888] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0049.888] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0049.888] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0049.888] lstrlenW (lpString="EventSystem") returned 11 [0049.888] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0049.913] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0049.913] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0049.913] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0049.913] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0049.913] lstrlenW (lpString="gpsvc") returned 5 [0049.913] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0049.913] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0049.913] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0049.913] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0049.913] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0049.913] lstrlenW (lpString="iphlpsvc") returned 8 [0049.913] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0049.913] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0049.913] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0049.913] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0049.913] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0049.913] lstrlenW (lpString="LanmanServer") returned 12 [0049.913] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0049.913] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0049.913] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0049.913] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0049.913] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0049.913] lstrlenW (lpString="LanmanWorkstation") returned 17 [0049.913] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0049.913] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0049.913] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0049.914] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0049.914] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0049.914] lstrlenW (lpString="lmhosts") returned 7 [0049.914] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0049.914] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0049.914] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0049.914] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0049.914] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0049.914] lstrlenW (lpString="MMCSS") returned 5 [0049.914] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0049.914] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0049.914] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0049.914] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0049.914] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0049.914] lstrlenW (lpString="MpsSvc") returned 6 [0049.914] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0049.914] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0049.914] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0049.914] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0049.914] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0049.914] lstrlenW (lpString="Netman") returned 6 [0049.914] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0049.914] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0049.914] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0049.915] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0049.915] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0049.915] lstrlenW (lpString="netprofm") returned 8 [0049.915] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0049.915] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0049.915] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0049.915] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0049.915] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0049.915] lstrlenW (lpString="NlaSvc") returned 6 [0049.915] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0049.915] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0049.915] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0049.915] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0049.915] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0049.915] lstrlenW (lpString="nsi") returned 3 [0049.915] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0049.915] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0049.915] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0049.915] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0049.915] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0049.915] lstrlenW (lpString="PcaSvc") returned 6 [0049.915] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0049.915] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0049.915] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0049.915] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0049.915] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0049.915] lstrlenW (lpString="PlugPlay") returned 8 [0049.915] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0049.915] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0049.915] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0049.915] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0049.915] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0049.915] lstrlenW (lpString="Power") returned 5 [0049.915] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0049.915] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0049.915] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0049.915] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0049.915] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0049.916] lstrlenW (lpString="ProfSvc") returned 7 [0049.916] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0049.916] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0049.916] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0049.916] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0049.916] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0049.916] lstrlenW (lpString="RpcEptMapper") returned 12 [0049.916] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0049.916] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0049.916] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0049.916] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0049.916] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0049.916] lstrlenW (lpString="RpcSs") returned 5 [0049.916] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0049.916] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0049.916] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0049.916] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0049.916] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0049.916] lstrlenW (lpString="SamSs") returned 5 [0049.916] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0049.916] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0049.916] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0049.916] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0049.916] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0049.916] lstrlenW (lpString="Schedule") returned 8 [0049.916] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0049.916] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0049.916] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0049.916] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0049.916] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0049.916] lstrlenW (lpString="SENS") returned 4 [0049.916] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0049.916] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0049.916] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0049.916] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0049.916] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0049.917] lstrlenW (lpString="ShellHWDetection") returned 16 [0049.917] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0049.917] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0049.917] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0049.917] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0049.917] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0049.917] lstrlenW (lpString="Spooler") returned 7 [0049.917] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0049.917] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0049.917] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0049.917] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0049.917] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0049.917] lstrlenW (lpString="swprv") returned 5 [0049.917] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0049.917] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0049.917] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0049.917] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0049.917] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0049.917] lstrlenW (lpString="SysMain") returned 7 [0049.917] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0049.917] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0049.917] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0049.917] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0049.917] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0049.917] lstrlenW (lpString="Themes") returned 6 [0049.917] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0049.917] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0049.917] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0049.917] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0049.917] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0049.917] lstrlenW (lpString="TrkWks") returned 6 [0049.917] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0049.917] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0049.917] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0049.917] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0049.917] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0049.917] lstrlenW (lpString="UxSms") returned 5 [0049.917] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0049.918] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0049.918] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0049.918] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0049.918] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0049.918] lstrlenW (lpString="VSS") returned 3 [0049.918] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0049.918] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0049.918] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0049.918] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0049.918] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0049.918] lstrlenW (lpString="WdiServiceHost") returned 14 [0049.918] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0049.918] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0049.918] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0049.918] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0049.918] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0049.918] lstrlenW (lpString="WdiSystemHost") returned 13 [0049.918] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0049.918] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0049.918] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0049.918] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0049.918] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0049.918] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0049.918] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0049.918] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0049.918] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0049.918] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0049.918] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0049.918] lstrlenW (lpString="Winmgmt") returned 7 [0049.918] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0049.918] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0049.918] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0049.918] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0049.918] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0049.918] lstrlenW (lpString="WPDBusEnum") returned 10 [0049.918] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0049.918] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0049.919] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0049.919] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0049.919] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0049.919] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x648ef8 | out: hHeap=0x5f0000) returned 1 [0049.919] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1b4 [0049.928] Process32FirstW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0049.928] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0049.928] lstrlenW (lpString="System") returned 6 [0049.928] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0049.928] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0049.928] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0049.928] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0049.928] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0049.928] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0049.928] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0049.928] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0049.929] lstrlenW (lpString="smss.exe") returned 8 [0049.929] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0049.929] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0049.929] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0049.929] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0049.929] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0049.929] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0049.929] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0049.929] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0049.929] lstrlenW (lpString="csrss.exe") returned 9 [0049.929] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0049.930] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0049.930] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0049.930] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0049.930] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0049.930] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0049.930] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0049.930] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0049.931] lstrlenW (lpString="wininit.exe") returned 11 [0049.931] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0049.931] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0049.931] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0049.931] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0049.931] lstrlenW (lpString="csrss.exe") returned 9 [0049.931] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0049.931] lstrlenW (lpString="winlogon.exe") returned 12 [0049.931] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0049.932] lstrlenW (lpString="services.exe") returned 12 [0049.932] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0049.932] lstrlenW (lpString="lsass.exe") returned 9 [0049.932] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0049.932] lstrlenW (lpString="lsm.exe") returned 7 [0049.932] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.933] lstrlenW (lpString="svchost.exe") returned 11 [0049.933] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.933] lstrlenW (lpString="svchost.exe") returned 11 [0049.933] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.933] lstrlenW (lpString="svchost.exe") returned 11 [0049.933] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.934] lstrlenW (lpString="svchost.exe") returned 11 [0049.934] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.934] lstrlenW (lpString="svchost.exe") returned 11 [0049.934] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0049.934] lstrlenW (lpString="audiodg.exe") returned 11 [0049.934] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.934] lstrlenW (lpString="svchost.exe") returned 11 [0049.934] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.935] lstrlenW (lpString="svchost.exe") returned 11 [0049.935] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0049.935] lstrlenW (lpString="dwm.exe") returned 7 [0049.935] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0049.935] lstrlenW (lpString="explorer.exe") returned 12 [0049.935] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0049.936] lstrlenW (lpString="spoolsv.exe") returned 11 [0049.936] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.936] lstrlenW (lpString="svchost.exe") returned 11 [0049.936] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0049.936] lstrlenW (lpString="taskhost.exe") returned 12 [0049.936] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0049.936] lstrlenW (lpString="taskeng.exe") returned 11 [0049.936] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="encryption-billing-finishing.exe")) returned 1 [0049.937] lstrlenW (lpString="encryption-billing-finishing.exe") returned 32 [0049.937] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="le_inn_ending.exe")) returned 1 [0049.937] lstrlenW (lpString="le_inn_ending.exe") returned 17 [0049.937] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="hung-automobiles-concerning.exe")) returned 1 [0049.937] lstrlenW (lpString="hung-automobiles-concerning.exe") returned 31 [0049.937] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="celebrateowen.exe")) returned 1 [0049.938] lstrlenW (lpString="celebrateowen.exe") returned 17 [0049.938] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="highlights.exe")) returned 1 [0049.938] lstrlenW (lpString="highlights.exe") returned 14 [0049.938] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="armorthunder.exe")) returned 1 [0049.938] lstrlenW (lpString="armorthunder.exe") returned 16 [0049.938] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sci_vietnam_baby.exe")) returned 1 [0049.939] lstrlenW (lpString="sci_vietnam_baby.exe") returned 20 [0049.939] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="root.exe")) returned 1 [0049.939] lstrlenW (lpString="root.exe") returned 8 [0049.939] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="searches.exe")) returned 1 [0049.939] lstrlenW (lpString="searches.exe") returned 12 [0049.939] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gnu.exe")) returned 1 [0049.939] lstrlenW (lpString="gnu.exe") returned 7 [0049.939] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lat differences.exe")) returned 1 [0049.940] lstrlenW (lpString="lat differences.exe") returned 19 [0049.940] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="wetdelayed.exe")) returned 1 [0049.940] lstrlenW (lpString="wetdelayed.exe") returned 14 [0049.940] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scarydm.exe")) returned 1 [0049.940] lstrlenW (lpString="scarydm.exe") returned 11 [0049.940] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="relating coating ride.exe")) returned 1 [0049.941] lstrlenW (lpString="relating coating ride.exe") returned 25 [0049.941] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="compressed.exe")) returned 1 [0049.941] lstrlenW (lpString="compressed.exe") returned 14 [0049.941] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x600, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="installing.exe")) returned 1 [0049.941] lstrlenW (lpString="installing.exe") returned 14 [0049.941] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="jewellerycoloradokijiji.exe")) returned 1 [0049.941] lstrlenW (lpString="jewellerycoloradokijiji.exe") returned 27 [0049.942] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="promote_counted_attempted.exe")) returned 1 [0049.942] lstrlenW (lpString="promote_counted_attempted.exe") returned 29 [0049.942] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0049.942] lstrlenW (lpString="3dftp.exe") returned 9 [0049.942] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0049.942] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0049.942] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0049.943] lstrlenW (lpString="alftp.exe") returned 9 [0049.943] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0049.943] lstrlenW (lpString="barca.exe") returned 9 [0049.943] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x664, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0049.943] lstrlenW (lpString="bitkinex.exe") returned 12 [0049.943] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0049.944] lstrlenW (lpString="coreftp.exe") returned 11 [0049.944] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0049.944] lstrlenW (lpString="far.exe") returned 7 [0049.944] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0049.945] lstrlenW (lpString="filezilla.exe") returned 13 [0049.945] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0049.946] lstrlenW (lpString="flashfxp.exe") returned 12 [0049.946] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0049.947] lstrlenW (lpString="fling.exe") returned 9 [0049.947] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0049.947] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0049.947] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0049.947] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0049.947] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0049.948] lstrlenW (lpString="icq.exe") returned 7 [0049.948] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0049.948] lstrlenW (lpString="leechftp.exe") returned 12 [0049.948] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0049.948] lstrlenW (lpString="ncftp.exe") returned 9 [0049.948] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0049.949] lstrlenW (lpString="notepad.exe") returned 11 [0049.949] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0049.949] lstrlenW (lpString="operamail.exe") returned 13 [0049.949] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0049.949] lstrlenW (lpString="pidgin.exe") returned 10 [0049.949] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0049.950] lstrlenW (lpString="scriptftp.exe") returned 13 [0049.950] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0049.950] lstrlenW (lpString="skype.exe") returned 9 [0049.950] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0049.951] lstrlenW (lpString="smartftp.exe") returned 12 [0049.951] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0049.951] lstrlenW (lpString="thunderbird.exe") returned 15 [0049.951] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0049.951] lstrlenW (lpString="totalcmd.exe") returned 12 [0049.951] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0049.952] lstrlenW (lpString="trillian.exe") returned 12 [0049.952] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0049.952] lstrlenW (lpString="webdrive.exe") returned 12 [0049.952] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0049.953] lstrlenW (lpString="whatsapp.exe") returned 12 [0049.953] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0049.953] lstrlenW (lpString="winscp.exe") returned 10 [0049.953] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0049.953] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0049.954] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0049.954] lstrlenW (lpString="active-charge.exe") returned 17 [0049.954] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0049.954] lstrlenW (lpString="accupos.exe") returned 11 [0049.954] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0049.955] lstrlenW (lpString="afr38.exe") returned 9 [0049.955] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0049.955] lstrlenW (lpString="aldelo.exe") returned 10 [0049.955] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0049.955] lstrlenW (lpString="ccv_server.exe") returned 14 [0049.955] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0049.956] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0049.956] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0049.956] lstrlenW (lpString="creditservice.exe") returned 17 [0049.956] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0049.957] lstrlenW (lpString="edcsvr.exe") returned 10 [0049.957] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0049.957] lstrlenW (lpString="fpos.exe") returned 8 [0049.957] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0049.957] lstrlenW (lpString="isspos.exe") returned 10 [0049.957] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0049.958] lstrlenW (lpString="mxslipstream.exe") returned 16 [0049.958] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0049.958] lstrlenW (lpString="omnipos.exe") returned 11 [0049.958] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0049.958] lstrlenW (lpString="spcwin.exe") returned 10 [0049.958] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0049.959] lstrlenW (lpString="spgagentservice.exe") returned 19 [0049.959] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0049.959] lstrlenW (lpString="utg2.exe") returned 8 [0049.959] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="november_objects.exe")) returned 1 [0049.959] lstrlenW (lpString="november_objects.exe") returned 20 [0049.959] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vitamins_dealt.exe")) returned 1 [0049.960] lstrlenW (lpString="vitamins_dealt.exe") returned 18 [0049.960] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="peace_bite.exe")) returned 1 [0049.960] lstrlenW (lpString="peace_bite.exe") returned 14 [0049.960] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="earthquake forbidden waiting.exe")) returned 1 [0049.961] lstrlenW (lpString="earthquake forbidden waiting.exe") returned 32 [0049.961] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0049.961] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0049.961] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0049.961] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0049.962] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0049.962] lstrlenW (lpString="taskhost.exe") returned 12 [0049.962] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x918, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0049.962] lstrlenW (lpString="dllhost.exe") returned 11 [0049.962] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0049.963] lstrlenW (lpString="dllhost.exe") returned 11 [0049.963] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0049.963] lstrlenW (lpString="winhost.exe") returned 11 [0049.963] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa1c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0049.963] lstrlenW (lpString="cmd.exe") returned 7 [0049.963] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0049.964] lstrlenW (lpString="conhost.exe") returned 11 [0049.964] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x5b8, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0049.964] lstrlenW (lpString="vssadmin.exe") returned 12 [0049.964] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0049.964] lstrlenW (lpString="VSSVC.exe") returned 9 [0049.964] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.964] lstrlenW (lpString="svchost.exe") returned 11 [0049.965] Process32NextW (in: hSnapshot=0x1b4, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0049.965] CloseHandle (hObject=0x1b4) returned 1 [0049.965] Sleep (dwMilliseconds=0x1f4) [0050.476] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x674f10 [0050.477] EnumServicesStatusExW (in: hSCManager=0x674f10, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 0 [0050.477] GetLastError () returned 0xea [0050.477] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x12c6) returned 0x649358 [0050.477] EnumServicesStatusExW (in: hSCManager=0x674f10, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x649358, cbBufSize=0x12c6, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x649358, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 1 [0050.478] CloseServiceHandle (hSCObject=0x674f10) returned 1 [0050.478] lstrlenW (lpString="Appinfo") returned 7 [0050.478] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0050.478] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0050.478] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0050.478] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0050.478] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0050.478] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0050.478] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0050.478] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0050.478] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0050.478] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0050.478] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0050.479] lstrlenW (lpString="AudioSrv") returned 8 [0050.479] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0050.479] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0050.479] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0050.479] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0050.479] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0050.479] lstrlenW (lpString="BFE") returned 3 [0050.479] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0050.479] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0050.479] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0050.479] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0050.479] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0050.479] lstrlenW (lpString="CryptSvc") returned 8 [0050.479] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0050.479] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0050.479] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0050.479] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0050.479] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0050.479] lstrlenW (lpString="CscService") returned 10 [0050.479] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0050.479] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0050.479] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0050.479] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0050.479] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0050.479] lstrlenW (lpString="DcomLaunch") returned 10 [0050.479] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0050.479] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0050.479] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0050.480] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0050.480] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0050.480] lstrlenW (lpString="Dhcp") returned 4 [0050.480] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0050.480] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0050.480] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0050.480] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0050.480] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0050.480] lstrlenW (lpString="Dnscache") returned 8 [0050.480] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0050.480] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0050.480] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0050.480] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0050.480] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0050.480] lstrlenW (lpString="DPS") returned 3 [0050.480] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0050.480] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0050.480] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0050.480] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0050.480] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0050.480] lstrlenW (lpString="eventlog") returned 8 [0050.480] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0050.480] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0050.480] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0050.480] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0050.480] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0050.480] lstrlenW (lpString="EventSystem") returned 11 [0050.481] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0050.481] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0050.481] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0050.481] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0050.481] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0050.481] lstrlenW (lpString="gpsvc") returned 5 [0050.481] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0050.481] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0050.481] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0050.481] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0050.481] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0050.481] lstrlenW (lpString="iphlpsvc") returned 8 [0050.481] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0050.481] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0050.481] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0050.481] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0050.481] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0050.481] lstrlenW (lpString="LanmanServer") returned 12 [0050.481] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0050.481] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0050.481] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0050.481] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0050.481] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0050.481] lstrlenW (lpString="LanmanWorkstation") returned 17 [0050.481] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0050.481] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0050.481] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0050.481] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0050.481] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0050.482] lstrlenW (lpString="lmhosts") returned 7 [0050.482] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0050.482] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0050.482] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0050.482] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0050.482] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0050.482] lstrlenW (lpString="MMCSS") returned 5 [0050.482] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0050.482] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0050.482] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0050.482] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0050.482] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0050.482] lstrlenW (lpString="MpsSvc") returned 6 [0050.482] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0050.482] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0050.482] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0050.482] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0050.482] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0050.482] lstrlenW (lpString="Netman") returned 6 [0050.482] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0050.482] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0050.482] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0050.482] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0050.482] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0050.482] lstrlenW (lpString="netprofm") returned 8 [0050.482] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0050.482] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0050.482] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0050.482] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0050.482] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0050.482] lstrlenW (lpString="NlaSvc") returned 6 [0050.482] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0050.482] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0050.482] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0050.483] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0050.483] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0050.483] lstrlenW (lpString="nsi") returned 3 [0050.483] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0050.483] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0050.483] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0050.483] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0050.483] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0050.483] lstrlenW (lpString="PcaSvc") returned 6 [0050.483] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0050.483] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0050.483] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0050.483] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0050.483] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0050.483] lstrlenW (lpString="PlugPlay") returned 8 [0050.483] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0050.483] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0050.483] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0050.483] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0050.483] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0050.483] lstrlenW (lpString="Power") returned 5 [0050.483] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0050.483] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0050.483] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0050.483] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0050.483] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0050.483] lstrlenW (lpString="ProfSvc") returned 7 [0050.483] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0050.483] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0050.483] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0050.483] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0050.483] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0050.483] lstrlenW (lpString="RpcEptMapper") returned 12 [0050.483] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0050.483] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0050.484] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0050.484] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0050.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0050.484] lstrlenW (lpString="RpcSs") returned 5 [0050.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0050.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0050.484] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0050.484] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0050.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0050.484] lstrlenW (lpString="SamSs") returned 5 [0050.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0050.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0050.484] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0050.484] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0050.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0050.484] lstrlenW (lpString="Schedule") returned 8 [0050.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0050.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0050.484] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0050.484] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0050.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0050.484] lstrlenW (lpString="SENS") returned 4 [0050.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0050.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0050.484] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0050.484] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0050.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0050.484] lstrlenW (lpString="ShellHWDetection") returned 16 [0050.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0050.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0050.484] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0050.484] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0050.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0050.484] lstrlenW (lpString="Spooler") returned 7 [0050.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0050.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0050.485] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0050.485] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0050.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0050.485] lstrlenW (lpString="swprv") returned 5 [0050.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0050.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0050.485] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0050.485] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0050.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0050.485] lstrlenW (lpString="SysMain") returned 7 [0050.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0050.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0050.485] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0050.485] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0050.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0050.485] lstrlenW (lpString="Themes") returned 6 [0050.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0050.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0050.485] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0050.485] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0050.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0050.485] lstrlenW (lpString="TrkWks") returned 6 [0050.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0050.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0050.485] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0050.485] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0050.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0050.485] lstrlenW (lpString="UxSms") returned 5 [0050.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0050.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0050.485] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0050.485] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0050.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0050.485] lstrlenW (lpString="VSS") returned 3 [0050.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0050.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0050.486] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0050.486] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0050.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0050.486] lstrlenW (lpString="WdiServiceHost") returned 14 [0050.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0050.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0050.486] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0050.486] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0050.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0050.486] lstrlenW (lpString="WdiSystemHost") returned 13 [0050.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0050.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0050.486] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0050.486] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0050.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0050.486] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0050.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0050.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0050.486] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0050.486] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0050.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0050.486] lstrlenW (lpString="Winmgmt") returned 7 [0050.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0050.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0050.486] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0050.486] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0050.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0050.486] lstrlenW (lpString="WPDBusEnum") returned 10 [0050.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0050.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0050.486] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0050.486] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0050.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0050.487] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x649358 | out: hHeap=0x5f0000) returned 1 [0050.487] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1d0 [0051.077] Process32FirstW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0051.077] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0051.078] lstrlenW (lpString="System") returned 6 [0051.078] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0051.078] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0051.078] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0051.078] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0051.078] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0051.078] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0051.078] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0051.078] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0051.078] lstrlenW (lpString="smss.exe") returned 8 [0051.078] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0051.078] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0051.078] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0051.078] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0051.078] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0051.078] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0051.078] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0051.078] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0051.079] lstrlenW (lpString="csrss.exe") returned 9 [0051.079] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0051.079] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0051.079] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0051.079] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0051.079] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0051.079] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0051.079] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0051.079] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0051.079] lstrlenW (lpString="wininit.exe") returned 11 [0051.079] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0051.079] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0051.079] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0051.080] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0051.080] lstrlenW (lpString="csrss.exe") returned 9 [0051.080] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0051.080] lstrlenW (lpString="winlogon.exe") returned 12 [0051.080] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0051.081] lstrlenW (lpString="services.exe") returned 12 [0051.081] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0051.081] lstrlenW (lpString="lsass.exe") returned 9 [0051.081] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0051.081] lstrlenW (lpString="lsm.exe") returned 7 [0051.081] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.082] lstrlenW (lpString="svchost.exe") returned 11 [0051.082] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.082] lstrlenW (lpString="svchost.exe") returned 11 [0051.082] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.082] lstrlenW (lpString="svchost.exe") returned 11 [0051.082] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.083] lstrlenW (lpString="svchost.exe") returned 11 [0051.083] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.083] lstrlenW (lpString="svchost.exe") returned 11 [0051.083] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0051.083] lstrlenW (lpString="audiodg.exe") returned 11 [0051.084] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.084] lstrlenW (lpString="svchost.exe") returned 11 [0051.084] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.085] lstrlenW (lpString="svchost.exe") returned 11 [0051.085] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0051.085] lstrlenW (lpString="dwm.exe") returned 7 [0051.085] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0051.085] lstrlenW (lpString="explorer.exe") returned 12 [0051.085] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0051.086] lstrlenW (lpString="spoolsv.exe") returned 11 [0051.086] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.086] lstrlenW (lpString="svchost.exe") returned 11 [0051.086] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0051.087] lstrlenW (lpString="taskhost.exe") returned 12 [0051.087] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0051.087] lstrlenW (lpString="taskeng.exe") returned 11 [0051.087] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="encryption-billing-finishing.exe")) returned 1 [0051.087] lstrlenW (lpString="encryption-billing-finishing.exe") returned 32 [0051.087] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="le_inn_ending.exe")) returned 1 [0051.088] lstrlenW (lpString="le_inn_ending.exe") returned 17 [0051.088] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="hung-automobiles-concerning.exe")) returned 1 [0051.088] lstrlenW (lpString="hung-automobiles-concerning.exe") returned 31 [0051.088] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="celebrateowen.exe")) returned 1 [0051.088] lstrlenW (lpString="celebrateowen.exe") returned 17 [0051.088] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="highlights.exe")) returned 1 [0051.089] lstrlenW (lpString="highlights.exe") returned 14 [0051.089] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="armorthunder.exe")) returned 1 [0051.089] lstrlenW (lpString="armorthunder.exe") returned 16 [0051.089] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sci_vietnam_baby.exe")) returned 1 [0051.090] lstrlenW (lpString="sci_vietnam_baby.exe") returned 20 [0051.090] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="root.exe")) returned 1 [0051.090] lstrlenW (lpString="root.exe") returned 8 [0051.090] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="searches.exe")) returned 1 [0051.090] lstrlenW (lpString="searches.exe") returned 12 [0051.090] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gnu.exe")) returned 1 [0051.091] lstrlenW (lpString="gnu.exe") returned 7 [0051.091] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lat differences.exe")) returned 1 [0051.092] lstrlenW (lpString="lat differences.exe") returned 19 [0051.092] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="wetdelayed.exe")) returned 1 [0051.092] lstrlenW (lpString="wetdelayed.exe") returned 14 [0051.092] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scarydm.exe")) returned 1 [0051.093] lstrlenW (lpString="scarydm.exe") returned 11 [0051.093] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="relating coating ride.exe")) returned 1 [0051.093] lstrlenW (lpString="relating coating ride.exe") returned 25 [0051.093] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="compressed.exe")) returned 1 [0051.093] lstrlenW (lpString="compressed.exe") returned 14 [0051.094] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x600, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="installing.exe")) returned 1 [0051.094] lstrlenW (lpString="installing.exe") returned 14 [0051.094] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="jewellerycoloradokijiji.exe")) returned 1 [0051.094] lstrlenW (lpString="jewellerycoloradokijiji.exe") returned 27 [0051.094] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="promote_counted_attempted.exe")) returned 1 [0051.095] lstrlenW (lpString="promote_counted_attempted.exe") returned 29 [0051.095] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0051.095] lstrlenW (lpString="3dftp.exe") returned 9 [0051.095] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0051.095] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0051.095] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0051.096] lstrlenW (lpString="alftp.exe") returned 9 [0051.096] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0051.096] lstrlenW (lpString="barca.exe") returned 9 [0051.096] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x664, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0051.096] lstrlenW (lpString="bitkinex.exe") returned 12 [0051.096] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0051.097] lstrlenW (lpString="coreftp.exe") returned 11 [0051.097] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0051.097] lstrlenW (lpString="far.exe") returned 7 [0051.097] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0051.097] lstrlenW (lpString="filezilla.exe") returned 13 [0051.098] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0051.098] lstrlenW (lpString="flashfxp.exe") returned 12 [0051.098] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0051.098] lstrlenW (lpString="fling.exe") returned 9 [0051.098] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0051.099] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0051.099] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0051.099] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0051.099] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0051.099] lstrlenW (lpString="icq.exe") returned 7 [0051.099] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0051.100] lstrlenW (lpString="leechftp.exe") returned 12 [0051.100] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0051.100] lstrlenW (lpString="ncftp.exe") returned 9 [0051.100] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0051.100] lstrlenW (lpString="notepad.exe") returned 11 [0051.100] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0051.101] lstrlenW (lpString="operamail.exe") returned 13 [0051.101] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0051.101] lstrlenW (lpString="pidgin.exe") returned 10 [0051.101] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0051.102] lstrlenW (lpString="scriptftp.exe") returned 13 [0051.102] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0051.102] lstrlenW (lpString="skype.exe") returned 9 [0051.103] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0051.103] lstrlenW (lpString="smartftp.exe") returned 12 [0051.103] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0051.103] lstrlenW (lpString="thunderbird.exe") returned 15 [0051.104] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0051.104] lstrlenW (lpString="totalcmd.exe") returned 12 [0051.104] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0051.105] lstrlenW (lpString="trillian.exe") returned 12 [0051.105] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0051.105] lstrlenW (lpString="webdrive.exe") returned 12 [0051.105] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0051.105] lstrlenW (lpString="whatsapp.exe") returned 12 [0051.106] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0051.106] lstrlenW (lpString="winscp.exe") returned 10 [0051.106] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0051.106] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0051.107] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0051.107] lstrlenW (lpString="active-charge.exe") returned 17 [0051.107] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0051.107] lstrlenW (lpString="accupos.exe") returned 11 [0051.107] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0051.108] lstrlenW (lpString="afr38.exe") returned 9 [0051.108] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0051.108] lstrlenW (lpString="aldelo.exe") returned 10 [0051.108] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0051.109] lstrlenW (lpString="ccv_server.exe") returned 14 [0051.109] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0051.109] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0051.109] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0051.110] lstrlenW (lpString="creditservice.exe") returned 17 [0051.110] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0051.110] lstrlenW (lpString="edcsvr.exe") returned 10 [0051.110] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0051.111] lstrlenW (lpString="fpos.exe") returned 8 [0051.111] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0051.111] lstrlenW (lpString="isspos.exe") returned 10 [0051.111] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0051.112] lstrlenW (lpString="mxslipstream.exe") returned 16 [0051.112] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0051.112] lstrlenW (lpString="omnipos.exe") returned 11 [0051.112] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0051.113] lstrlenW (lpString="spcwin.exe") returned 10 [0051.113] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0051.113] lstrlenW (lpString="spgagentservice.exe") returned 19 [0051.113] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0051.113] lstrlenW (lpString="utg2.exe") returned 8 [0051.113] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="november_objects.exe")) returned 1 [0051.114] lstrlenW (lpString="november_objects.exe") returned 20 [0051.114] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vitamins_dealt.exe")) returned 1 [0051.114] lstrlenW (lpString="vitamins_dealt.exe") returned 18 [0051.114] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="peace_bite.exe")) returned 1 [0051.115] lstrlenW (lpString="peace_bite.exe") returned 14 [0051.115] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="earthquake forbidden waiting.exe")) returned 1 [0051.537] lstrlenW (lpString="earthquake forbidden waiting.exe") returned 32 [0051.537] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0051.537] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0051.537] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0051.538] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0051.538] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0051.538] lstrlenW (lpString="taskhost.exe") returned 12 [0051.538] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0051.538] lstrlenW (lpString="dllhost.exe") returned 11 [0051.538] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0051.539] lstrlenW (lpString="winhost.exe") returned 11 [0051.539] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa1c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0051.539] lstrlenW (lpString="cmd.exe") returned 7 [0051.539] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0051.539] lstrlenW (lpString="conhost.exe") returned 11 [0051.539] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x5b8, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0051.540] lstrlenW (lpString="vssadmin.exe") returned 12 [0051.540] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0051.540] lstrlenW (lpString="VSSVC.exe") returned 9 [0051.540] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.540] lstrlenW (lpString="svchost.exe") returned 11 [0051.540] Process32NextW (in: hSnapshot=0x1d0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0051.541] CloseHandle (hObject=0x1d0) returned 1 [0051.541] Sleep (dwMilliseconds=0x1f4) [0052.443] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x675140 [0052.443] EnumServicesStatusExW (in: hSCManager=0x675140, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 0 [0052.444] GetLastError () returned 0xea [0052.444] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x12c6) returned 0x63f6d8 [0052.445] EnumServicesStatusExW (in: hSCManager=0x675140, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x63f6d8, cbBufSize=0x12c6, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x63f6d8, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 1 [0052.445] CloseServiceHandle (hSCObject=0x675140) returned 1 [0052.445] lstrlenW (lpString="Appinfo") returned 7 [0052.446] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0052.446] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0052.446] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0052.446] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0052.446] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0052.446] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0052.446] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0052.446] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0052.446] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0052.446] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0052.446] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0052.446] lstrlenW (lpString="AudioSrv") returned 8 [0052.446] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0052.446] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0052.446] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0052.446] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0052.446] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0052.446] lstrlenW (lpString="BFE") returned 3 [0052.446] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0052.446] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0052.446] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0052.446] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0052.446] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0052.446] lstrlenW (lpString="CryptSvc") returned 8 [0052.446] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0052.446] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0052.446] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0052.446] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0052.446] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0052.446] lstrlenW (lpString="CscService") returned 10 [0052.446] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0052.446] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0052.446] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0052.446] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0052.447] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0052.447] lstrlenW (lpString="DcomLaunch") returned 10 [0052.447] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0052.447] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0052.447] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0052.447] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0052.447] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0052.447] lstrlenW (lpString="Dhcp") returned 4 [0052.447] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0052.447] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0052.447] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0052.447] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0052.447] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0052.447] lstrlenW (lpString="Dnscache") returned 8 [0052.447] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0052.447] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0052.447] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0052.447] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0052.447] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0052.447] lstrlenW (lpString="DPS") returned 3 [0052.447] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0052.447] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0052.447] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0052.447] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0052.447] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0052.447] lstrlenW (lpString="eventlog") returned 8 [0052.447] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0052.447] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0052.447] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0052.447] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0052.447] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0052.447] lstrlenW (lpString="EventSystem") returned 11 [0052.447] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0052.447] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0052.448] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0052.448] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0052.448] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0052.448] lstrlenW (lpString="gpsvc") returned 5 [0052.448] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0052.448] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0052.448] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0052.448] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0052.448] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0052.448] lstrlenW (lpString="iphlpsvc") returned 8 [0052.448] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0052.448] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0052.448] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0052.448] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0052.448] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0052.448] lstrlenW (lpString="LanmanServer") returned 12 [0052.448] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0052.448] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0052.448] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0052.448] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0052.448] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0052.448] lstrlenW (lpString="LanmanWorkstation") returned 17 [0052.448] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0052.448] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0052.448] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0052.448] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0052.448] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0052.448] lstrlenW (lpString="lmhosts") returned 7 [0052.448] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0052.448] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0052.448] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0052.448] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0052.448] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0052.449] lstrlenW (lpString="MMCSS") returned 5 [0052.449] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0052.449] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0052.449] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0052.449] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0052.449] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0052.449] lstrlenW (lpString="MpsSvc") returned 6 [0052.449] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0052.449] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0052.449] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0052.449] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0052.449] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0052.449] lstrlenW (lpString="Netman") returned 6 [0052.449] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0052.449] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0052.449] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0052.449] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0052.449] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0052.449] lstrlenW (lpString="netprofm") returned 8 [0052.449] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0052.449] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0052.449] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0052.449] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0052.449] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0052.449] lstrlenW (lpString="NlaSvc") returned 6 [0052.449] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0052.449] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0052.449] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0052.449] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0052.449] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0052.449] lstrlenW (lpString="nsi") returned 3 [0052.449] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0052.449] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0052.449] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0052.450] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0052.450] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0052.450] lstrlenW (lpString="PcaSvc") returned 6 [0052.450] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0052.450] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0052.450] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0052.450] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0052.450] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0052.450] lstrlenW (lpString="PlugPlay") returned 8 [0052.450] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0052.450] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0052.450] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0052.450] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0052.450] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0052.450] lstrlenW (lpString="Power") returned 5 [0052.450] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0052.450] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0052.450] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0052.450] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0052.450] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0052.450] lstrlenW (lpString="ProfSvc") returned 7 [0052.450] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0052.450] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0052.450] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0052.450] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0052.450] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0052.450] lstrlenW (lpString="RpcEptMapper") returned 12 [0052.450] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0052.450] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0052.450] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0052.450] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0052.450] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0052.450] lstrlenW (lpString="RpcSs") returned 5 [0052.450] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0052.451] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0052.451] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0052.451] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0052.451] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0052.451] lstrlenW (lpString="SamSs") returned 5 [0052.451] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0052.451] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0052.451] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0052.451] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0052.451] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0052.451] lstrlenW (lpString="Schedule") returned 8 [0052.451] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0052.451] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0052.451] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0052.451] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0052.451] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0052.451] lstrlenW (lpString="SENS") returned 4 [0052.451] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0052.451] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0052.451] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0052.451] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0052.451] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0052.451] lstrlenW (lpString="ShellHWDetection") returned 16 [0052.451] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0052.451] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0052.451] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0052.451] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0052.451] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0052.451] lstrlenW (lpString="Spooler") returned 7 [0052.451] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0052.451] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0052.451] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0052.451] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0052.451] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0052.451] lstrlenW (lpString="swprv") returned 5 [0052.451] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0052.452] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0052.452] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0052.452] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0052.452] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0052.452] lstrlenW (lpString="SysMain") returned 7 [0052.452] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0052.452] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0052.452] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0052.452] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0052.452] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0052.452] lstrlenW (lpString="Themes") returned 6 [0052.452] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0052.452] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0052.452] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0052.452] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0052.452] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0052.452] lstrlenW (lpString="TrkWks") returned 6 [0052.452] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0052.452] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0052.452] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0052.452] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0052.452] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0052.452] lstrlenW (lpString="UxSms") returned 5 [0052.452] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0052.452] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0052.452] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0052.452] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0052.452] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0052.452] lstrlenW (lpString="VSS") returned 3 [0052.452] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0052.452] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0052.452] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0052.452] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0052.452] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0052.452] lstrlenW (lpString="WdiServiceHost") returned 14 [0052.453] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0052.453] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0052.453] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0052.453] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0052.453] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0052.453] lstrlenW (lpString="WdiSystemHost") returned 13 [0052.453] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0052.453] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0052.453] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0052.453] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0052.453] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0052.453] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0052.453] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0052.453] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0052.453] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0052.453] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0052.453] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0052.453] lstrlenW (lpString="Winmgmt") returned 7 [0052.453] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0052.453] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0052.453] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0052.453] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0052.453] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0052.453] lstrlenW (lpString="WPDBusEnum") returned 10 [0052.453] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0052.453] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0052.453] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0052.453] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0052.453] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0052.453] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63f6d8 | out: hHeap=0x5f0000) returned 1 [0052.453] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1f0 [0052.457] Process32FirstW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0052.457] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0052.458] lstrlenW (lpString="System") returned 6 [0052.458] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0052.458] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0052.458] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0052.458] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0052.458] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0052.458] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0052.458] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0052.458] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0052.458] lstrlenW (lpString="smss.exe") returned 8 [0052.458] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0052.458] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0052.458] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0052.458] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0052.458] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0052.458] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0052.458] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0052.458] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0052.459] lstrlenW (lpString="csrss.exe") returned 9 [0052.459] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0052.459] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0052.459] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0052.459] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0052.459] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0052.459] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0052.459] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0052.459] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0052.459] lstrlenW (lpString="wininit.exe") returned 11 [0052.459] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0052.459] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0052.459] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0052.459] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0052.460] lstrlenW (lpString="csrss.exe") returned 9 [0052.460] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0052.460] lstrlenW (lpString="winlogon.exe") returned 12 [0052.460] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0052.460] lstrlenW (lpString="services.exe") returned 12 [0052.460] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0052.461] lstrlenW (lpString="lsass.exe") returned 9 [0052.461] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0052.461] lstrlenW (lpString="lsm.exe") returned 7 [0052.461] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.461] lstrlenW (lpString="svchost.exe") returned 11 [0052.461] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.462] lstrlenW (lpString="svchost.exe") returned 11 [0052.462] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.462] lstrlenW (lpString="svchost.exe") returned 11 [0052.462] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.462] lstrlenW (lpString="svchost.exe") returned 11 [0052.462] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.463] lstrlenW (lpString="svchost.exe") returned 11 [0052.463] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0052.463] lstrlenW (lpString="audiodg.exe") returned 11 [0052.463] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.463] lstrlenW (lpString="svchost.exe") returned 11 [0052.463] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.463] lstrlenW (lpString="svchost.exe") returned 11 [0052.464] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0052.464] lstrlenW (lpString="dwm.exe") returned 7 [0052.464] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0052.464] lstrlenW (lpString="explorer.exe") returned 12 [0052.464] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0052.464] lstrlenW (lpString="spoolsv.exe") returned 11 [0052.464] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.465] lstrlenW (lpString="svchost.exe") returned 11 [0052.465] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0052.465] lstrlenW (lpString="taskhost.exe") returned 12 [0052.465] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0052.465] lstrlenW (lpString="taskeng.exe") returned 11 [0052.466] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="encryption-billing-finishing.exe")) returned 1 [0052.466] lstrlenW (lpString="encryption-billing-finishing.exe") returned 32 [0052.466] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="le_inn_ending.exe")) returned 1 [0052.466] lstrlenW (lpString="le_inn_ending.exe") returned 17 [0052.466] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="hung-automobiles-concerning.exe")) returned 1 [0052.467] lstrlenW (lpString="hung-automobiles-concerning.exe") returned 31 [0052.467] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="celebrateowen.exe")) returned 1 [0052.467] lstrlenW (lpString="celebrateowen.exe") returned 17 [0052.467] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="highlights.exe")) returned 1 [0052.468] lstrlenW (lpString="highlights.exe") returned 14 [0052.468] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="armorthunder.exe")) returned 1 [0052.468] lstrlenW (lpString="armorthunder.exe") returned 16 [0052.468] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sci_vietnam_baby.exe")) returned 1 [0052.468] lstrlenW (lpString="sci_vietnam_baby.exe") returned 20 [0052.468] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="root.exe")) returned 1 [0052.469] lstrlenW (lpString="root.exe") returned 8 [0052.469] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="searches.exe")) returned 1 [0052.469] lstrlenW (lpString="searches.exe") returned 12 [0052.469] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gnu.exe")) returned 1 [0052.469] lstrlenW (lpString="gnu.exe") returned 7 [0052.469] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lat differences.exe")) returned 1 [0052.469] lstrlenW (lpString="lat differences.exe") returned 19 [0052.469] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="wetdelayed.exe")) returned 1 [0052.470] lstrlenW (lpString="wetdelayed.exe") returned 14 [0052.470] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scarydm.exe")) returned 1 [0052.470] lstrlenW (lpString="scarydm.exe") returned 11 [0052.470] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="relating coating ride.exe")) returned 1 [0052.470] lstrlenW (lpString="relating coating ride.exe") returned 25 [0052.470] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="compressed.exe")) returned 1 [0052.471] lstrlenW (lpString="compressed.exe") returned 14 [0052.471] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x600, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="installing.exe")) returned 1 [0052.471] lstrlenW (lpString="installing.exe") returned 14 [0052.471] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="jewellerycoloradokijiji.exe")) returned 1 [0052.471] lstrlenW (lpString="jewellerycoloradokijiji.exe") returned 27 [0052.471] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="promote_counted_attempted.exe")) returned 1 [0052.472] lstrlenW (lpString="promote_counted_attempted.exe") returned 29 [0052.472] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0052.472] lstrlenW (lpString="3dftp.exe") returned 9 [0052.472] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0052.472] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0052.472] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0052.473] lstrlenW (lpString="alftp.exe") returned 9 [0052.473] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0052.473] lstrlenW (lpString="barca.exe") returned 9 [0052.473] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x664, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0052.473] lstrlenW (lpString="bitkinex.exe") returned 12 [0052.473] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0052.474] lstrlenW (lpString="coreftp.exe") returned 11 [0052.474] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0052.474] lstrlenW (lpString="far.exe") returned 7 [0052.474] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0052.474] lstrlenW (lpString="filezilla.exe") returned 13 [0052.474] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0052.474] lstrlenW (lpString="flashfxp.exe") returned 12 [0052.475] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0052.475] lstrlenW (lpString="fling.exe") returned 9 [0052.475] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0052.475] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0052.475] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0052.475] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0052.475] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0052.476] lstrlenW (lpString="icq.exe") returned 7 [0052.476] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0052.476] lstrlenW (lpString="leechftp.exe") returned 12 [0052.476] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0052.476] lstrlenW (lpString="ncftp.exe") returned 9 [0052.476] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0052.477] lstrlenW (lpString="notepad.exe") returned 11 [0052.477] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0052.477] lstrlenW (lpString="operamail.exe") returned 13 [0052.477] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0052.477] lstrlenW (lpString="pidgin.exe") returned 10 [0052.477] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0052.478] lstrlenW (lpString="scriptftp.exe") returned 13 [0052.478] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0052.478] lstrlenW (lpString="skype.exe") returned 9 [0052.478] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0052.479] lstrlenW (lpString="smartftp.exe") returned 12 [0052.479] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0052.479] lstrlenW (lpString="thunderbird.exe") returned 15 [0052.479] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0052.480] lstrlenW (lpString="totalcmd.exe") returned 12 [0052.480] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0052.480] lstrlenW (lpString="trillian.exe") returned 12 [0052.480] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0052.480] lstrlenW (lpString="webdrive.exe") returned 12 [0052.480] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0052.481] lstrlenW (lpString="whatsapp.exe") returned 12 [0052.481] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0052.481] lstrlenW (lpString="winscp.exe") returned 10 [0052.481] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0052.482] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0052.482] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0052.482] lstrlenW (lpString="active-charge.exe") returned 17 [0052.482] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0052.483] lstrlenW (lpString="accupos.exe") returned 11 [0052.483] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0052.483] lstrlenW (lpString="afr38.exe") returned 9 [0052.483] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0052.484] lstrlenW (lpString="aldelo.exe") returned 10 [0052.484] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0052.485] lstrlenW (lpString="ccv_server.exe") returned 14 [0052.485] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0052.485] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0052.485] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0052.486] lstrlenW (lpString="creditservice.exe") returned 17 [0052.486] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0052.486] lstrlenW (lpString="edcsvr.exe") returned 10 [0052.486] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0052.487] lstrlenW (lpString="fpos.exe") returned 8 [0052.487] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0052.487] lstrlenW (lpString="isspos.exe") returned 10 [0052.487] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0052.488] lstrlenW (lpString="mxslipstream.exe") returned 16 [0052.488] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0052.941] lstrlenW (lpString="omnipos.exe") returned 11 [0052.944] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0052.949] lstrlenW (lpString="spcwin.exe") returned 10 [0052.952] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0052.958] lstrlenW (lpString="spgagentservice.exe") returned 19 [0052.958] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0052.964] lstrlenW (lpString="utg2.exe") returned 8 [0052.964] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="november_objects.exe")) returned 1 [0052.971] lstrlenW (lpString="november_objects.exe") returned 20 [0052.971] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vitamins_dealt.exe")) returned 1 [0052.971] lstrlenW (lpString="vitamins_dealt.exe") returned 18 [0052.971] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="peace_bite.exe")) returned 1 [0052.971] lstrlenW (lpString="peace_bite.exe") returned 14 [0052.971] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="earthquake forbidden waiting.exe")) returned 1 [0052.972] lstrlenW (lpString="earthquake forbidden waiting.exe") returned 32 [0052.972] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0052.972] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0052.972] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0052.973] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0052.973] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0052.973] lstrlenW (lpString="taskhost.exe") returned 12 [0052.973] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0052.973] lstrlenW (lpString="winhost.exe") returned 11 [0052.973] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa1c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0052.974] lstrlenW (lpString="cmd.exe") returned 7 [0052.974] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0052.974] lstrlenW (lpString="conhost.exe") returned 11 [0052.974] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x5b8, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0052.975] lstrlenW (lpString="vssadmin.exe") returned 12 [0052.975] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0052.975] lstrlenW (lpString="VSSVC.exe") returned 9 [0052.975] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.975] lstrlenW (lpString="svchost.exe") returned 11 [0052.975] Process32NextW (in: hSnapshot=0x1f0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0052.976] CloseHandle (hObject=0x1f0) returned 1 [0052.976] Sleep (dwMilliseconds=0x1f4) [0053.814] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x675190 [0053.815] EnumServicesStatusExW (in: hSCManager=0x675190, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 0 [0053.816] GetLastError () returned 0xea [0053.816] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x12c6) returned 0x63f6d8 [0053.817] EnumServicesStatusExW (in: hSCManager=0x675190, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x63f6d8, cbBufSize=0x12c6, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x63f6d8, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 1 [0053.818] CloseServiceHandle (hSCObject=0x675190) returned 1 [0053.818] lstrlenW (lpString="Appinfo") returned 7 [0053.818] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0053.818] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0053.818] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0053.818] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0053.818] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0053.818] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0053.818] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0053.818] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0053.818] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0053.818] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0053.818] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0053.818] lstrlenW (lpString="AudioSrv") returned 8 [0053.819] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0053.819] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0053.819] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0053.819] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0053.819] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0053.819] lstrlenW (lpString="BFE") returned 3 [0053.819] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0053.819] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0053.819] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0053.819] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0053.819] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0053.819] lstrlenW (lpString="CryptSvc") returned 8 [0053.819] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0053.819] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0053.819] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0053.819] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0053.819] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0053.819] lstrlenW (lpString="CscService") returned 10 [0053.819] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0053.819] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0053.819] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0053.819] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0053.819] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0053.820] lstrlenW (lpString="DcomLaunch") returned 10 [0053.820] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0053.820] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0053.820] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0053.820] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0053.820] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0053.820] lstrlenW (lpString="Dhcp") returned 4 [0053.820] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0053.820] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0053.820] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0053.820] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0053.820] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0053.820] lstrlenW (lpString="Dnscache") returned 8 [0053.820] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0053.820] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0053.820] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0053.820] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0053.820] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0053.820] lstrlenW (lpString="DPS") returned 3 [0053.820] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0053.820] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0053.821] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0053.821] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0053.821] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0053.821] lstrlenW (lpString="eventlog") returned 8 [0053.821] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0053.821] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0053.821] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0053.821] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0053.821] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0053.821] lstrlenW (lpString="EventSystem") returned 11 [0053.821] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0053.821] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0053.821] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0053.821] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0053.821] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0053.821] lstrlenW (lpString="gpsvc") returned 5 [0053.821] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0053.821] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0053.821] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0053.821] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0053.821] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0053.821] lstrlenW (lpString="iphlpsvc") returned 8 [0053.822] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0053.822] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0053.822] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0053.822] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0053.822] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0053.822] lstrlenW (lpString="LanmanServer") returned 12 [0053.822] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0053.822] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0053.822] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0053.822] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0053.822] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0053.822] lstrlenW (lpString="LanmanWorkstation") returned 17 [0053.822] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0053.822] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0053.822] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0053.822] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0053.822] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0053.822] lstrlenW (lpString="lmhosts") returned 7 [0053.822] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0053.822] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0053.822] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0053.822] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0053.822] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0053.822] lstrlenW (lpString="MMCSS") returned 5 [0053.823] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0053.823] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0053.823] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0053.823] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0053.823] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0053.823] lstrlenW (lpString="MpsSvc") returned 6 [0053.823] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0053.823] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0053.823] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0053.823] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0053.823] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0053.823] lstrlenW (lpString="Netman") returned 6 [0053.823] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0053.823] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0053.823] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0053.823] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0053.823] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0053.823] lstrlenW (lpString="netprofm") returned 8 [0053.823] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0053.823] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0053.823] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0053.823] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0053.823] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0053.823] lstrlenW (lpString="NlaSvc") returned 6 [0053.823] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0053.823] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0053.824] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0053.824] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0053.824] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0053.824] lstrlenW (lpString="nsi") returned 3 [0053.824] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0053.824] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0053.824] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0053.824] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0053.824] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0053.824] lstrlenW (lpString="PcaSvc") returned 6 [0053.824] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0053.824] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0053.824] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0053.824] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0053.824] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0053.824] lstrlenW (lpString="PlugPlay") returned 8 [0053.824] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0053.824] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0053.824] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0053.824] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0053.824] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0053.824] lstrlenW (lpString="Power") returned 5 [0053.824] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0053.824] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0053.824] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0053.824] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0053.824] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0053.825] lstrlenW (lpString="ProfSvc") returned 7 [0053.825] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0053.825] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0053.825] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0053.825] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0053.825] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0053.825] lstrlenW (lpString="RpcEptMapper") returned 12 [0053.825] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0053.825] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0053.825] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0053.825] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0053.825] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0053.825] lstrlenW (lpString="RpcSs") returned 5 [0053.825] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0053.825] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0053.825] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0053.825] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0053.825] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0053.825] lstrlenW (lpString="SamSs") returned 5 [0053.825] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0053.825] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0053.825] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0053.825] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0053.825] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0053.825] lstrlenW (lpString="Schedule") returned 8 [0053.825] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0053.825] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0053.825] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0053.826] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0053.826] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0053.826] lstrlenW (lpString="SENS") returned 4 [0053.826] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0053.826] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0053.826] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0053.826] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0053.826] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0053.826] lstrlenW (lpString="ShellHWDetection") returned 16 [0053.826] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0053.826] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0053.826] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0053.826] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0053.826] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0053.826] lstrlenW (lpString="Spooler") returned 7 [0053.826] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0053.826] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0053.826] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0053.826] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0053.826] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0053.826] lstrlenW (lpString="swprv") returned 5 [0053.826] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0053.826] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0053.826] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0053.826] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0053.826] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0053.826] lstrlenW (lpString="SysMain") returned 7 [0053.826] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0053.826] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0053.826] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0053.827] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0053.827] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0053.827] lstrlenW (lpString="Themes") returned 6 [0053.827] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0053.827] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0053.827] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0053.827] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0053.827] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0053.827] lstrlenW (lpString="TrkWks") returned 6 [0053.827] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0053.827] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0053.827] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0053.827] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0053.827] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0053.827] lstrlenW (lpString="UxSms") returned 5 [0053.827] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0053.827] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0053.827] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0053.827] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0053.827] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0053.827] lstrlenW (lpString="VSS") returned 3 [0053.827] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0053.827] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0053.827] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0053.827] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0053.827] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0053.827] lstrlenW (lpString="WdiServiceHost") returned 14 [0053.827] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0053.827] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0053.827] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0053.828] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0053.828] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0053.828] lstrlenW (lpString="WdiSystemHost") returned 13 [0053.828] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0053.828] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0053.828] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0053.828] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0053.828] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0053.828] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0053.828] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0053.828] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0053.828] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0053.828] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0053.828] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0053.828] lstrlenW (lpString="Winmgmt") returned 7 [0053.828] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0053.828] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0053.828] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0053.828] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0053.828] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0053.828] lstrlenW (lpString="WPDBusEnum") returned 10 [0053.828] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0053.828] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0053.828] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0053.828] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0053.828] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0053.828] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63f6d8 | out: hHeap=0x5f0000) returned 1 [0053.829] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1ec [0053.834] Process32FirstW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0053.834] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0053.834] lstrlenW (lpString="System") returned 6 [0053.834] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0053.834] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0053.834] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0053.834] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0053.834] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0053.834] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0053.834] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0053.834] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0053.835] lstrlenW (lpString="smss.exe") returned 8 [0053.835] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0053.835] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0053.835] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0053.835] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0053.835] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0053.835] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0053.835] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0053.835] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0053.835] lstrlenW (lpString="csrss.exe") returned 9 [0053.835] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0053.835] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0053.835] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0053.835] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0053.835] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0053.835] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0053.835] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0053.835] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0053.836] lstrlenW (lpString="wininit.exe") returned 11 [0053.836] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0053.836] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0053.836] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0053.836] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0053.836] lstrlenW (lpString="csrss.exe") returned 9 [0053.836] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0053.837] lstrlenW (lpString="winlogon.exe") returned 12 [0053.837] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0053.837] lstrlenW (lpString="services.exe") returned 12 [0053.837] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0053.837] lstrlenW (lpString="lsass.exe") returned 9 [0053.837] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0053.838] lstrlenW (lpString="lsm.exe") returned 7 [0053.838] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.838] lstrlenW (lpString="svchost.exe") returned 11 [0053.838] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.839] lstrlenW (lpString="svchost.exe") returned 11 [0053.839] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.839] lstrlenW (lpString="svchost.exe") returned 11 [0053.839] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.839] lstrlenW (lpString="svchost.exe") returned 11 [0053.839] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.840] lstrlenW (lpString="svchost.exe") returned 11 [0053.840] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0053.840] lstrlenW (lpString="audiodg.exe") returned 11 [0053.840] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.841] lstrlenW (lpString="svchost.exe") returned 11 [0053.841] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.877] lstrlenW (lpString="svchost.exe") returned 11 [0053.877] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0053.877] lstrlenW (lpString="dwm.exe") returned 7 [0053.877] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0053.878] lstrlenW (lpString="explorer.exe") returned 12 [0053.878] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0053.878] lstrlenW (lpString="spoolsv.exe") returned 11 [0053.878] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.879] lstrlenW (lpString="svchost.exe") returned 11 [0053.879] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0053.879] lstrlenW (lpString="taskhost.exe") returned 12 [0053.879] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0053.879] lstrlenW (lpString="taskeng.exe") returned 11 [0053.879] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="encryption-billing-finishing.exe")) returned 1 [0053.880] lstrlenW (lpString="encryption-billing-finishing.exe") returned 32 [0053.880] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="le_inn_ending.exe")) returned 1 [0053.880] lstrlenW (lpString="le_inn_ending.exe") returned 17 [0053.880] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="hung-automobiles-concerning.exe")) returned 1 [0053.880] lstrlenW (lpString="hung-automobiles-concerning.exe") returned 31 [0053.881] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="celebrateowen.exe")) returned 1 [0053.881] lstrlenW (lpString="celebrateowen.exe") returned 17 [0053.881] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="highlights.exe")) returned 1 [0053.881] lstrlenW (lpString="highlights.exe") returned 14 [0053.881] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="armorthunder.exe")) returned 1 [0053.881] lstrlenW (lpString="armorthunder.exe") returned 16 [0053.881] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sci_vietnam_baby.exe")) returned 1 [0053.882] lstrlenW (lpString="sci_vietnam_baby.exe") returned 20 [0053.882] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="root.exe")) returned 1 [0053.882] lstrlenW (lpString="root.exe") returned 8 [0053.882] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="searches.exe")) returned 1 [0053.882] lstrlenW (lpString="searches.exe") returned 12 [0053.882] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gnu.exe")) returned 1 [0053.883] lstrlenW (lpString="gnu.exe") returned 7 [0053.883] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lat differences.exe")) returned 1 [0053.883] lstrlenW (lpString="lat differences.exe") returned 19 [0053.883] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="wetdelayed.exe")) returned 1 [0053.883] lstrlenW (lpString="wetdelayed.exe") returned 14 [0053.883] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scarydm.exe")) returned 1 [0053.883] lstrlenW (lpString="scarydm.exe") returned 11 [0053.884] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="relating coating ride.exe")) returned 1 [0053.884] lstrlenW (lpString="relating coating ride.exe") returned 25 [0053.884] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="compressed.exe")) returned 1 [0053.884] lstrlenW (lpString="compressed.exe") returned 14 [0053.884] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x600, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="installing.exe")) returned 1 [0053.884] lstrlenW (lpString="installing.exe") returned 14 [0053.884] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="jewellerycoloradokijiji.exe")) returned 1 [0053.885] lstrlenW (lpString="jewellerycoloradokijiji.exe") returned 27 [0053.885] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="promote_counted_attempted.exe")) returned 1 [0053.885] lstrlenW (lpString="promote_counted_attempted.exe") returned 29 [0053.885] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0053.885] lstrlenW (lpString="3dftp.exe") returned 9 [0053.885] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0053.886] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0053.886] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0053.886] lstrlenW (lpString="alftp.exe") returned 9 [0053.886] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0053.886] lstrlenW (lpString="barca.exe") returned 9 [0053.886] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x664, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0053.886] lstrlenW (lpString="bitkinex.exe") returned 12 [0053.886] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0053.887] lstrlenW (lpString="coreftp.exe") returned 11 [0053.887] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0053.887] lstrlenW (lpString="far.exe") returned 7 [0053.887] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0053.887] lstrlenW (lpString="filezilla.exe") returned 13 [0053.888] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0053.888] lstrlenW (lpString="flashfxp.exe") returned 12 [0053.888] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0053.888] lstrlenW (lpString="fling.exe") returned 9 [0053.888] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0053.889] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0053.889] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0053.889] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0053.889] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0053.889] lstrlenW (lpString="icq.exe") returned 7 [0053.890] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0053.890] lstrlenW (lpString="leechftp.exe") returned 12 [0053.890] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0053.890] lstrlenW (lpString="ncftp.exe") returned 9 [0053.890] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0053.891] lstrlenW (lpString="notepad.exe") returned 11 [0053.891] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0053.891] lstrlenW (lpString="operamail.exe") returned 13 [0053.891] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0053.892] lstrlenW (lpString="pidgin.exe") returned 10 [0053.892] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0054.595] lstrlenW (lpString="scriptftp.exe") returned 13 [0054.595] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0054.595] lstrlenW (lpString="skype.exe") returned 9 [0054.595] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0054.596] lstrlenW (lpString="smartftp.exe") returned 12 [0054.596] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0054.596] lstrlenW (lpString="thunderbird.exe") returned 15 [0054.596] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0054.597] lstrlenW (lpString="totalcmd.exe") returned 12 [0054.597] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0054.597] lstrlenW (lpString="trillian.exe") returned 12 [0054.597] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0054.598] lstrlenW (lpString="webdrive.exe") returned 12 [0054.598] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0054.598] lstrlenW (lpString="whatsapp.exe") returned 12 [0054.598] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0054.599] lstrlenW (lpString="winscp.exe") returned 10 [0054.599] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0054.599] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0054.600] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0054.600] lstrlenW (lpString="active-charge.exe") returned 17 [0054.600] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0054.600] lstrlenW (lpString="accupos.exe") returned 11 [0054.601] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0054.601] lstrlenW (lpString="afr38.exe") returned 9 [0054.601] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0054.602] lstrlenW (lpString="aldelo.exe") returned 10 [0054.602] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0054.602] lstrlenW (lpString="ccv_server.exe") returned 14 [0054.602] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0054.602] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0054.603] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0054.603] lstrlenW (lpString="creditservice.exe") returned 17 [0054.603] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0054.603] lstrlenW (lpString="edcsvr.exe") returned 10 [0054.604] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0054.604] lstrlenW (lpString="fpos.exe") returned 8 [0054.604] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0054.604] lstrlenW (lpString="isspos.exe") returned 10 [0054.604] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0054.605] lstrlenW (lpString="mxslipstream.exe") returned 16 [0054.605] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0054.605] lstrlenW (lpString="omnipos.exe") returned 11 [0054.605] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0054.606] lstrlenW (lpString="spcwin.exe") returned 10 [0054.606] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0054.606] lstrlenW (lpString="spgagentservice.exe") returned 19 [0054.606] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0054.607] lstrlenW (lpString="utg2.exe") returned 8 [0054.607] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="november_objects.exe")) returned 1 [0054.607] lstrlenW (lpString="november_objects.exe") returned 20 [0054.607] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vitamins_dealt.exe")) returned 1 [0054.608] lstrlenW (lpString="vitamins_dealt.exe") returned 18 [0054.608] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="peace_bite.exe")) returned 1 [0054.608] lstrlenW (lpString="peace_bite.exe") returned 14 [0054.608] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="earthquake forbidden waiting.exe")) returned 1 [0054.609] lstrlenW (lpString="earthquake forbidden waiting.exe") returned 32 [0054.609] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0054.609] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0054.609] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0054.610] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0054.610] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0054.610] lstrlenW (lpString="taskhost.exe") returned 12 [0054.610] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0054.610] lstrlenW (lpString="winhost.exe") returned 11 [0054.610] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa1c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0054.611] lstrlenW (lpString="cmd.exe") returned 7 [0054.611] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0054.614] lstrlenW (lpString="conhost.exe") returned 11 [0054.614] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x5b8, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0054.614] lstrlenW (lpString="vssadmin.exe") returned 12 [0054.614] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0054.615] lstrlenW (lpString="VSSVC.exe") returned 9 [0054.615] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.615] lstrlenW (lpString="svchost.exe") returned 11 [0054.615] Process32NextW (in: hSnapshot=0x1ec, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0054.615] CloseHandle (hObject=0x1ec) returned 1 [0054.615] Sleep (dwMilliseconds=0x1f4) [0056.101] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x675190 [0056.102] EnumServicesStatusExW (in: hSCManager=0x675190, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 0 [0056.103] GetLastError () returned 0xea [0056.103] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x12c6) returned 0x63f6d8 [0056.103] EnumServicesStatusExW (in: hSCManager=0x675190, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x63f6d8, cbBufSize=0x12c6, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x63f6d8, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 1 [0056.103] CloseServiceHandle (hSCObject=0x675190) returned 1 [0056.104] lstrlenW (lpString="Appinfo") returned 7 [0056.104] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0056.104] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0056.104] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0056.104] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0056.104] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0056.104] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0056.104] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0056.104] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0056.104] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0056.104] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0056.104] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0056.104] lstrlenW (lpString="AudioSrv") returned 8 [0056.104] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0056.104] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0056.104] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0056.104] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0056.104] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0056.104] lstrlenW (lpString="BFE") returned 3 [0056.104] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0056.104] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0056.104] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0056.104] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0056.104] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0056.104] lstrlenW (lpString="CryptSvc") returned 8 [0056.104] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0056.104] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0056.104] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0056.104] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0056.104] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0056.104] lstrlenW (lpString="CscService") returned 10 [0056.104] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0056.104] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0056.104] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0056.104] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0056.104] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0056.104] lstrlenW (lpString="DcomLaunch") returned 10 [0056.105] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0056.105] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0056.105] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0056.105] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0056.105] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0056.105] lstrlenW (lpString="Dhcp") returned 4 [0056.105] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0056.105] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0056.105] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0056.105] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0056.105] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0056.105] lstrlenW (lpString="Dnscache") returned 8 [0056.105] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0056.105] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0056.105] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0056.105] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0056.105] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0056.105] lstrlenW (lpString="DPS") returned 3 [0056.105] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0056.105] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0056.105] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0056.105] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0056.105] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0056.105] lstrlenW (lpString="eventlog") returned 8 [0056.105] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0056.105] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0056.105] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0056.105] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0056.105] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0056.105] lstrlenW (lpString="EventSystem") returned 11 [0056.105] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0056.105] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0056.105] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0056.105] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0056.105] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0056.105] lstrlenW (lpString="gpsvc") returned 5 [0056.106] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0056.106] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0056.106] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0056.106] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0056.106] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0056.106] lstrlenW (lpString="iphlpsvc") returned 8 [0056.106] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0056.106] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0056.106] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0056.106] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0056.106] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0056.106] lstrlenW (lpString="LanmanServer") returned 12 [0056.106] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0056.106] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0056.106] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0056.106] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0056.106] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0056.106] lstrlenW (lpString="LanmanWorkstation") returned 17 [0056.106] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0056.106] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0056.106] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0056.106] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0056.106] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0056.106] lstrlenW (lpString="lmhosts") returned 7 [0056.106] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0056.106] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0056.106] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0056.106] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0056.106] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0056.106] lstrlenW (lpString="MMCSS") returned 5 [0056.106] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0056.106] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0056.106] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0056.106] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0056.106] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0056.106] lstrlenW (lpString="MpsSvc") returned 6 [0056.107] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0056.107] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0056.107] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0056.107] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0056.107] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0056.107] lstrlenW (lpString="Netman") returned 6 [0056.107] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0056.107] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0056.107] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0056.107] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0056.107] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0056.107] lstrlenW (lpString="netprofm") returned 8 [0056.107] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0056.107] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0056.107] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0056.107] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0056.107] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0056.107] lstrlenW (lpString="NlaSvc") returned 6 [0056.107] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0056.107] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0056.107] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0056.107] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0056.107] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0056.107] lstrlenW (lpString="nsi") returned 3 [0056.107] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0056.107] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0056.107] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0056.108] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0056.108] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0056.108] lstrlenW (lpString="PcaSvc") returned 6 [0056.108] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0056.108] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0056.108] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0056.108] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0056.108] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0056.108] lstrlenW (lpString="PlugPlay") returned 8 [0056.108] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0056.108] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0056.108] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0056.108] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0056.108] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0056.108] lstrlenW (lpString="Power") returned 5 [0056.108] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0056.108] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0056.108] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0056.108] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0056.108] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0056.108] lstrlenW (lpString="ProfSvc") returned 7 [0056.108] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0056.108] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0056.108] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0056.108] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0056.108] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0056.108] lstrlenW (lpString="RpcEptMapper") returned 12 [0056.108] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0056.108] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0056.108] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0056.108] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0056.108] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0056.108] lstrlenW (lpString="RpcSs") returned 5 [0056.108] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0056.108] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0056.108] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0056.108] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0056.109] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0056.109] lstrlenW (lpString="SamSs") returned 5 [0056.109] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0056.109] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0056.109] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0056.109] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0056.109] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0056.109] lstrlenW (lpString="Schedule") returned 8 [0056.109] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0056.109] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0056.109] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0056.109] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0056.109] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0056.109] lstrlenW (lpString="SENS") returned 4 [0056.109] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0056.109] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0056.109] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0056.109] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0056.109] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0056.109] lstrlenW (lpString="ShellHWDetection") returned 16 [0056.109] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0056.109] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0056.109] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0056.109] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0056.109] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0056.109] lstrlenW (lpString="Spooler") returned 7 [0056.109] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0056.109] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0056.109] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0056.109] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0056.109] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0056.109] lstrlenW (lpString="swprv") returned 5 [0056.109] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0056.109] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0056.109] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0056.109] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0056.109] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0056.110] lstrlenW (lpString="SysMain") returned 7 [0056.110] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0056.110] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0056.110] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0056.110] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0056.110] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0056.110] lstrlenW (lpString="Themes") returned 6 [0056.110] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0056.110] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0056.110] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0056.110] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0056.110] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0056.110] lstrlenW (lpString="TrkWks") returned 6 [0056.110] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0056.110] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0056.110] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0056.110] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0056.110] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0056.110] lstrlenW (lpString="UxSms") returned 5 [0056.110] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0056.110] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0056.110] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0056.110] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0056.110] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0056.110] lstrlenW (lpString="VSS") returned 3 [0056.110] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0056.110] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0056.110] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0056.110] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0056.110] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0056.110] lstrlenW (lpString="WdiServiceHost") returned 14 [0056.110] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0056.110] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0056.110] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0056.110] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0056.110] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0056.110] lstrlenW (lpString="WdiSystemHost") returned 13 [0056.111] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0056.111] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0056.111] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0056.111] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0056.111] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0056.111] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0056.111] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0056.111] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0056.111] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0056.111] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0056.111] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0056.111] lstrlenW (lpString="Winmgmt") returned 7 [0056.111] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0056.111] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0056.111] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0056.111] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0056.111] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0056.111] lstrlenW (lpString="WPDBusEnum") returned 10 [0056.111] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0056.111] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0056.111] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0056.111] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0056.111] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0056.111] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63f6d8 | out: hHeap=0x5f0000) returned 1 [0056.111] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x20c [0056.115] Process32FirstW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0056.115] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0056.115] lstrlenW (lpString="System") returned 6 [0056.115] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0056.115] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0056.115] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0056.115] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0056.115] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0056.115] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0056.116] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0056.116] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0056.116] lstrlenW (lpString="smss.exe") returned 8 [0056.116] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0056.116] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0056.116] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0056.116] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0056.116] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0056.116] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0056.116] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0056.116] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0056.116] lstrlenW (lpString="csrss.exe") returned 9 [0056.116] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0056.116] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0056.116] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0056.116] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0056.116] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0056.116] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0056.116] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0056.116] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0056.117] lstrlenW (lpString="wininit.exe") returned 11 [0056.117] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0056.118] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0056.118] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0056.118] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0056.118] lstrlenW (lpString="csrss.exe") returned 9 [0056.118] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0056.118] lstrlenW (lpString="winlogon.exe") returned 12 [0056.118] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0056.119] lstrlenW (lpString="services.exe") returned 12 [0056.119] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0056.119] lstrlenW (lpString="lsass.exe") returned 9 [0056.119] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0056.119] lstrlenW (lpString="lsm.exe") returned 7 [0056.119] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.119] lstrlenW (lpString="svchost.exe") returned 11 [0056.119] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.120] lstrlenW (lpString="svchost.exe") returned 11 [0056.120] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.120] lstrlenW (lpString="svchost.exe") returned 11 [0056.120] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.120] lstrlenW (lpString="svchost.exe") returned 11 [0056.120] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.121] lstrlenW (lpString="svchost.exe") returned 11 [0056.121] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0056.121] lstrlenW (lpString="audiodg.exe") returned 11 [0056.121] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.121] lstrlenW (lpString="svchost.exe") returned 11 [0056.121] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.121] lstrlenW (lpString="svchost.exe") returned 11 [0056.121] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0056.122] lstrlenW (lpString="dwm.exe") returned 7 [0056.122] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0056.122] lstrlenW (lpString="explorer.exe") returned 12 [0056.122] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0056.122] lstrlenW (lpString="spoolsv.exe") returned 11 [0056.122] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.123] lstrlenW (lpString="svchost.exe") returned 11 [0056.123] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0056.123] lstrlenW (lpString="taskhost.exe") returned 12 [0056.123] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0056.123] lstrlenW (lpString="taskeng.exe") returned 11 [0056.123] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="encryption-billing-finishing.exe")) returned 1 [0056.124] lstrlenW (lpString="encryption-billing-finishing.exe") returned 32 [0056.124] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="le_inn_ending.exe")) returned 1 [0056.124] lstrlenW (lpString="le_inn_ending.exe") returned 17 [0056.124] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="hung-automobiles-concerning.exe")) returned 1 [0056.124] lstrlenW (lpString="hung-automobiles-concerning.exe") returned 31 [0056.124] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="celebrateowen.exe")) returned 1 [0056.125] lstrlenW (lpString="celebrateowen.exe") returned 17 [0056.125] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="highlights.exe")) returned 1 [0056.125] lstrlenW (lpString="highlights.exe") returned 14 [0056.125] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="armorthunder.exe")) returned 1 [0056.125] lstrlenW (lpString="armorthunder.exe") returned 16 [0056.125] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sci_vietnam_baby.exe")) returned 1 [0056.125] lstrlenW (lpString="sci_vietnam_baby.exe") returned 20 [0056.125] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="root.exe")) returned 1 [0056.126] lstrlenW (lpString="root.exe") returned 8 [0056.126] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="searches.exe")) returned 1 [0056.126] lstrlenW (lpString="searches.exe") returned 12 [0056.126] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gnu.exe")) returned 1 [0056.126] lstrlenW (lpString="gnu.exe") returned 7 [0056.126] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lat differences.exe")) returned 1 [0056.127] lstrlenW (lpString="lat differences.exe") returned 19 [0056.127] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="wetdelayed.exe")) returned 1 [0056.127] lstrlenW (lpString="wetdelayed.exe") returned 14 [0056.127] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scarydm.exe")) returned 1 [0056.127] lstrlenW (lpString="scarydm.exe") returned 11 [0056.127] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="relating coating ride.exe")) returned 1 [0056.127] lstrlenW (lpString="relating coating ride.exe") returned 25 [0056.127] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="compressed.exe")) returned 1 [0056.128] lstrlenW (lpString="compressed.exe") returned 14 [0056.128] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x600, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="installing.exe")) returned 1 [0056.128] lstrlenW (lpString="installing.exe") returned 14 [0056.128] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="jewellerycoloradokijiji.exe")) returned 1 [0056.128] lstrlenW (lpString="jewellerycoloradokijiji.exe") returned 27 [0056.128] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="promote_counted_attempted.exe")) returned 1 [0056.129] lstrlenW (lpString="promote_counted_attempted.exe") returned 29 [0056.129] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0056.129] lstrlenW (lpString="3dftp.exe") returned 9 [0056.129] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0056.129] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0056.129] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0056.129] lstrlenW (lpString="alftp.exe") returned 9 [0056.129] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0056.130] lstrlenW (lpString="barca.exe") returned 9 [0056.130] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x664, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0056.130] lstrlenW (lpString="bitkinex.exe") returned 12 [0056.130] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0056.130] lstrlenW (lpString="coreftp.exe") returned 11 [0056.130] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0056.131] lstrlenW (lpString="far.exe") returned 7 [0056.131] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0056.131] lstrlenW (lpString="filezilla.exe") returned 13 [0056.131] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0056.131] lstrlenW (lpString="flashfxp.exe") returned 12 [0056.131] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0056.131] lstrlenW (lpString="fling.exe") returned 9 [0056.132] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0056.132] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0056.132] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0056.132] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0056.132] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0056.132] lstrlenW (lpString="icq.exe") returned 7 [0056.132] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0056.133] lstrlenW (lpString="leechftp.exe") returned 12 [0056.133] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0056.133] lstrlenW (lpString="ncftp.exe") returned 9 [0056.133] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0056.133] lstrlenW (lpString="notepad.exe") returned 11 [0056.133] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0056.134] lstrlenW (lpString="operamail.exe") returned 13 [0056.134] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0056.134] lstrlenW (lpString="pidgin.exe") returned 10 [0056.134] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0056.134] lstrlenW (lpString="scriptftp.exe") returned 13 [0056.134] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0056.135] lstrlenW (lpString="skype.exe") returned 9 [0056.135] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0056.135] lstrlenW (lpString="smartftp.exe") returned 12 [0056.135] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0056.136] lstrlenW (lpString="thunderbird.exe") returned 15 [0056.136] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0056.136] lstrlenW (lpString="totalcmd.exe") returned 12 [0056.136] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0056.136] lstrlenW (lpString="trillian.exe") returned 12 [0056.136] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0056.137] lstrlenW (lpString="webdrive.exe") returned 12 [0056.137] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0056.137] lstrlenW (lpString="whatsapp.exe") returned 12 [0056.137] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0056.138] lstrlenW (lpString="winscp.exe") returned 10 [0056.138] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0056.138] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0056.138] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0056.311] lstrlenW (lpString="active-charge.exe") returned 17 [0056.311] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0056.312] lstrlenW (lpString="accupos.exe") returned 11 [0056.312] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0056.312] lstrlenW (lpString="afr38.exe") returned 9 [0056.312] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0056.313] lstrlenW (lpString="aldelo.exe") returned 10 [0056.313] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0056.313] lstrlenW (lpString="ccv_server.exe") returned 14 [0056.313] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0056.313] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0056.313] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0056.314] lstrlenW (lpString="creditservice.exe") returned 17 [0056.314] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0056.314] lstrlenW (lpString="edcsvr.exe") returned 10 [0056.314] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0056.315] lstrlenW (lpString="fpos.exe") returned 8 [0056.315] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0056.315] lstrlenW (lpString="isspos.exe") returned 10 [0056.315] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0056.315] lstrlenW (lpString="mxslipstream.exe") returned 16 [0056.315] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0056.316] lstrlenW (lpString="omnipos.exe") returned 11 [0056.316] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0056.316] lstrlenW (lpString="spcwin.exe") returned 10 [0056.316] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0056.316] lstrlenW (lpString="spgagentservice.exe") returned 19 [0056.316] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0056.317] lstrlenW (lpString="utg2.exe") returned 8 [0056.317] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="november_objects.exe")) returned 1 [0056.317] lstrlenW (lpString="november_objects.exe") returned 20 [0056.317] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vitamins_dealt.exe")) returned 1 [0056.317] lstrlenW (lpString="vitamins_dealt.exe") returned 18 [0056.317] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="peace_bite.exe")) returned 1 [0056.318] lstrlenW (lpString="peace_bite.exe") returned 14 [0056.318] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="earthquake forbidden waiting.exe")) returned 1 [0056.318] lstrlenW (lpString="earthquake forbidden waiting.exe") returned 32 [0056.318] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0056.318] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0056.318] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0056.319] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0056.319] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0056.319] lstrlenW (lpString="taskhost.exe") returned 12 [0056.319] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0056.319] lstrlenW (lpString="winhost.exe") returned 11 [0056.319] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa1c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0056.320] lstrlenW (lpString="cmd.exe") returned 7 [0056.320] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.320] lstrlenW (lpString="conhost.exe") returned 11 [0056.320] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x5b8, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0056.320] lstrlenW (lpString="vssadmin.exe") returned 12 [0056.320] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0056.321] lstrlenW (lpString="VSSVC.exe") returned 9 [0056.321] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.321] lstrlenW (lpString="svchost.exe") returned 11 [0056.321] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0056.321] CloseHandle (hObject=0x20c) returned 1 [0056.321] Sleep (dwMilliseconds=0x1f4) [0056.872] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x675190 [0056.873] EnumServicesStatusExW (in: hSCManager=0x675190, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 0 [0056.873] GetLastError () returned 0xea [0056.873] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x12c6) returned 0x63f6d8 [0056.873] EnumServicesStatusExW (in: hSCManager=0x675190, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x63f6d8, cbBufSize=0x12c6, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x63f6d8, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 1 [0056.874] CloseServiceHandle (hSCObject=0x675190) returned 1 [0056.874] lstrlenW (lpString="Appinfo") returned 7 [0056.874] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0056.874] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0056.874] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0056.874] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0056.874] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0056.874] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0056.874] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0056.874] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0056.874] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0056.874] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0056.875] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0056.875] lstrlenW (lpString="AudioSrv") returned 8 [0056.875] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0056.875] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0056.875] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0056.875] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0056.875] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0056.875] lstrlenW (lpString="BFE") returned 3 [0056.875] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0056.875] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0056.875] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0056.875] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0056.875] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0056.875] lstrlenW (lpString="CryptSvc") returned 8 [0056.875] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0056.875] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0056.875] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0056.875] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0056.875] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0056.875] lstrlenW (lpString="CscService") returned 10 [0056.875] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0056.875] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0056.875] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0056.875] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0056.875] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0056.875] lstrlenW (lpString="DcomLaunch") returned 10 [0056.875] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0056.875] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0056.875] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0056.875] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0056.875] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0056.875] lstrlenW (lpString="Dhcp") returned 4 [0056.875] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0056.875] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0056.875] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0056.875] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0056.875] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0056.875] lstrlenW (lpString="Dnscache") returned 8 [0056.876] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0056.876] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0056.876] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0056.876] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0056.876] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0056.876] lstrlenW (lpString="DPS") returned 3 [0056.876] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0056.876] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0056.876] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0056.876] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0056.876] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0056.876] lstrlenW (lpString="eventlog") returned 8 [0056.876] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0056.876] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0056.876] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0056.876] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0056.876] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0056.876] lstrlenW (lpString="EventSystem") returned 11 [0056.876] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0056.876] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0056.876] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0056.876] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0056.876] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0056.876] lstrlenW (lpString="gpsvc") returned 5 [0056.876] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0056.876] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0056.876] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0056.876] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0056.876] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0056.876] lstrlenW (lpString="iphlpsvc") returned 8 [0056.876] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0056.876] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0056.876] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0056.876] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0056.876] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0056.876] lstrlenW (lpString="LanmanServer") returned 12 [0056.876] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0056.876] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0056.877] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0056.877] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0056.877] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0056.877] lstrlenW (lpString="LanmanWorkstation") returned 17 [0056.877] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0056.877] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0056.877] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0056.877] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0056.877] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0056.877] lstrlenW (lpString="lmhosts") returned 7 [0056.877] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0056.877] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0056.877] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0056.877] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0056.877] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0056.877] lstrlenW (lpString="MMCSS") returned 5 [0056.877] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0056.877] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0056.877] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0056.877] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0056.877] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0056.877] lstrlenW (lpString="MpsSvc") returned 6 [0056.877] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0056.877] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0056.877] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0056.877] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0056.877] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0056.877] lstrlenW (lpString="Netman") returned 6 [0056.877] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0056.877] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0056.877] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0056.877] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0056.877] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0056.877] lstrlenW (lpString="netprofm") returned 8 [0056.877] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0056.877] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0056.877] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0056.877] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0056.878] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0056.878] lstrlenW (lpString="NlaSvc") returned 6 [0056.878] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0056.878] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0056.878] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0056.878] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0056.878] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0056.878] lstrlenW (lpString="nsi") returned 3 [0056.878] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0056.878] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0056.878] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0056.878] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0056.878] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0056.878] lstrlenW (lpString="PcaSvc") returned 6 [0056.878] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0056.878] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0056.878] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0056.878] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0056.878] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0056.878] lstrlenW (lpString="PlugPlay") returned 8 [0056.878] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0056.878] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0056.878] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0056.878] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0056.878] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0056.878] lstrlenW (lpString="Power") returned 5 [0056.878] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0056.878] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0056.878] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0056.878] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0056.878] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0056.878] lstrlenW (lpString="ProfSvc") returned 7 [0056.878] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0056.878] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0056.878] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0056.878] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0056.878] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0056.879] lstrlenW (lpString="RpcEptMapper") returned 12 [0056.879] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0056.879] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0056.879] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0056.879] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0056.879] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0056.879] lstrlenW (lpString="RpcSs") returned 5 [0056.879] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0056.879] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0056.879] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0056.879] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0056.879] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0056.879] lstrlenW (lpString="SamSs") returned 5 [0056.879] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0056.879] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0056.879] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0056.879] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0056.879] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0056.879] lstrlenW (lpString="Schedule") returned 8 [0056.879] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0056.879] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0056.879] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0056.879] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0056.879] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0056.879] lstrlenW (lpString="SENS") returned 4 [0056.879] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0056.879] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0056.879] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0056.879] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0056.879] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0056.879] lstrlenW (lpString="ShellHWDetection") returned 16 [0056.879] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0056.879] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0056.879] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0056.879] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0056.879] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0056.880] lstrlenW (lpString="Spooler") returned 7 [0056.880] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0056.880] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0056.880] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0056.880] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0056.880] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0056.880] lstrlenW (lpString="swprv") returned 5 [0056.880] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0056.880] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0056.880] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0056.880] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0056.880] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0056.880] lstrlenW (lpString="SysMain") returned 7 [0056.880] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0056.880] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0056.880] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0056.880] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0056.880] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0056.880] lstrlenW (lpString="Themes") returned 6 [0056.880] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0056.880] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0056.880] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0056.880] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0056.880] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0056.880] lstrlenW (lpString="TrkWks") returned 6 [0056.880] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0056.880] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0056.880] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0056.880] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0056.880] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0056.880] lstrlenW (lpString="UxSms") returned 5 [0056.880] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0056.880] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0056.880] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0056.880] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0056.881] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0056.881] lstrlenW (lpString="VSS") returned 3 [0056.881] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0056.881] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0056.881] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0056.881] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0056.881] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0056.881] lstrlenW (lpString="WdiServiceHost") returned 14 [0056.881] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0056.881] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0056.881] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0056.881] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0056.881] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0056.881] lstrlenW (lpString="WdiSystemHost") returned 13 [0056.881] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0056.881] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0056.881] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0056.881] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0056.881] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0056.881] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0056.881] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0056.881] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0056.881] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0056.881] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0056.881] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0056.881] lstrlenW (lpString="Winmgmt") returned 7 [0056.881] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0056.881] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0056.881] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0056.881] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0056.881] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0056.881] lstrlenW (lpString="WPDBusEnum") returned 10 [0056.881] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0056.881] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0056.881] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0056.881] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0056.882] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0056.882] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63f6d8 | out: hHeap=0x5f0000) returned 1 [0056.882] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1a0 [0056.885] Process32FirstW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0056.886] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0056.886] lstrlenW (lpString="System") returned 6 [0056.886] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0056.886] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0056.886] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0056.886] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0056.886] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0056.886] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0056.886] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0056.886] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0056.886] lstrlenW (lpString="smss.exe") returned 8 [0056.886] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0056.886] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0056.886] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0056.887] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0056.887] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0056.887] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0056.887] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0056.887] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0056.887] lstrlenW (lpString="csrss.exe") returned 9 [0056.887] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0056.887] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0056.887] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0056.887] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0056.887] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0056.887] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0056.887] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0056.887] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0056.887] lstrlenW (lpString="wininit.exe") returned 11 [0056.887] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0056.887] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0056.888] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0056.888] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0056.888] lstrlenW (lpString="csrss.exe") returned 9 [0056.888] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0056.888] lstrlenW (lpString="winlogon.exe") returned 12 [0056.888] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0056.889] lstrlenW (lpString="services.exe") returned 12 [0056.889] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0056.889] lstrlenW (lpString="lsass.exe") returned 9 [0056.889] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0056.889] lstrlenW (lpString="lsm.exe") returned 7 [0056.889] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.889] lstrlenW (lpString="svchost.exe") returned 11 [0056.889] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.890] lstrlenW (lpString="svchost.exe") returned 11 [0056.890] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.890] lstrlenW (lpString="svchost.exe") returned 11 [0056.890] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.890] lstrlenW (lpString="svchost.exe") returned 11 [0056.890] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.891] lstrlenW (lpString="svchost.exe") returned 11 [0056.891] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0056.891] lstrlenW (lpString="audiodg.exe") returned 11 [0056.891] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.891] lstrlenW (lpString="svchost.exe") returned 11 [0056.891] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.892] lstrlenW (lpString="svchost.exe") returned 11 [0056.892] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0056.892] lstrlenW (lpString="dwm.exe") returned 7 [0056.892] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0056.892] lstrlenW (lpString="explorer.exe") returned 12 [0056.892] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0056.892] lstrlenW (lpString="spoolsv.exe") returned 11 [0056.893] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.893] lstrlenW (lpString="svchost.exe") returned 11 [0056.893] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0056.893] lstrlenW (lpString="taskhost.exe") returned 12 [0056.893] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0056.893] lstrlenW (lpString="taskeng.exe") returned 11 [0056.893] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="encryption-billing-finishing.exe")) returned 1 [0056.894] lstrlenW (lpString="encryption-billing-finishing.exe") returned 32 [0056.894] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="le_inn_ending.exe")) returned 1 [0056.894] lstrlenW (lpString="le_inn_ending.exe") returned 17 [0056.894] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="hung-automobiles-concerning.exe")) returned 1 [0056.894] lstrlenW (lpString="hung-automobiles-concerning.exe") returned 31 [0056.894] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="celebrateowen.exe")) returned 1 [0056.895] lstrlenW (lpString="celebrateowen.exe") returned 17 [0056.895] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="highlights.exe")) returned 1 [0056.895] lstrlenW (lpString="highlights.exe") returned 14 [0056.895] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="armorthunder.exe")) returned 1 [0056.895] lstrlenW (lpString="armorthunder.exe") returned 16 [0056.895] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sci_vietnam_baby.exe")) returned 1 [0056.896] lstrlenW (lpString="sci_vietnam_baby.exe") returned 20 [0056.896] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="root.exe")) returned 1 [0056.896] lstrlenW (lpString="root.exe") returned 8 [0056.896] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="searches.exe")) returned 1 [0056.896] lstrlenW (lpString="searches.exe") returned 12 [0056.896] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gnu.exe")) returned 1 [0056.896] lstrlenW (lpString="gnu.exe") returned 7 [0056.897] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lat differences.exe")) returned 1 [0056.897] lstrlenW (lpString="lat differences.exe") returned 19 [0056.897] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="wetdelayed.exe")) returned 1 [0056.897] lstrlenW (lpString="wetdelayed.exe") returned 14 [0056.897] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scarydm.exe")) returned 1 [0056.897] lstrlenW (lpString="scarydm.exe") returned 11 [0056.897] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="relating coating ride.exe")) returned 1 [0056.898] lstrlenW (lpString="relating coating ride.exe") returned 25 [0056.898] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="compressed.exe")) returned 1 [0056.898] lstrlenW (lpString="compressed.exe") returned 14 [0056.898] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x600, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="installing.exe")) returned 1 [0056.898] lstrlenW (lpString="installing.exe") returned 14 [0056.898] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="jewellerycoloradokijiji.exe")) returned 1 [0056.898] lstrlenW (lpString="jewellerycoloradokijiji.exe") returned 27 [0056.899] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="promote_counted_attempted.exe")) returned 1 [0056.899] lstrlenW (lpString="promote_counted_attempted.exe") returned 29 [0056.899] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0056.899] lstrlenW (lpString="3dftp.exe") returned 9 [0056.899] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0056.899] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0056.899] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0056.900] lstrlenW (lpString="alftp.exe") returned 9 [0056.900] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0056.900] lstrlenW (lpString="barca.exe") returned 9 [0056.900] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x664, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0056.900] lstrlenW (lpString="bitkinex.exe") returned 12 [0056.900] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0056.900] lstrlenW (lpString="coreftp.exe") returned 11 [0056.901] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0056.901] lstrlenW (lpString="far.exe") returned 7 [0056.901] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0056.901] lstrlenW (lpString="filezilla.exe") returned 13 [0056.901] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0056.901] lstrlenW (lpString="flashfxp.exe") returned 12 [0056.901] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0056.902] lstrlenW (lpString="fling.exe") returned 9 [0056.902] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0056.902] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0056.902] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0056.902] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0056.902] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0056.903] lstrlenW (lpString="icq.exe") returned 7 [0056.903] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0056.903] lstrlenW (lpString="leechftp.exe") returned 12 [0056.903] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0056.903] lstrlenW (lpString="ncftp.exe") returned 9 [0056.903] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0056.904] lstrlenW (lpString="notepad.exe") returned 11 [0056.904] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0056.904] lstrlenW (lpString="operamail.exe") returned 13 [0056.904] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0056.904] lstrlenW (lpString="pidgin.exe") returned 10 [0056.904] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0056.905] lstrlenW (lpString="scriptftp.exe") returned 13 [0056.905] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0056.905] lstrlenW (lpString="skype.exe") returned 9 [0056.905] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0056.906] lstrlenW (lpString="smartftp.exe") returned 12 [0056.906] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0056.906] lstrlenW (lpString="thunderbird.exe") returned 15 [0056.906] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0056.907] lstrlenW (lpString="totalcmd.exe") returned 12 [0056.907] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0056.907] lstrlenW (lpString="trillian.exe") returned 12 [0056.907] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0056.907] lstrlenW (lpString="webdrive.exe") returned 12 [0056.907] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0056.908] lstrlenW (lpString="whatsapp.exe") returned 12 [0056.908] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0056.908] lstrlenW (lpString="winscp.exe") returned 10 [0056.908] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0056.908] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0056.909] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0056.909] lstrlenW (lpString="active-charge.exe") returned 17 [0056.909] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0056.909] lstrlenW (lpString="accupos.exe") returned 11 [0056.909] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0056.910] lstrlenW (lpString="afr38.exe") returned 9 [0056.910] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0056.910] lstrlenW (lpString="aldelo.exe") returned 10 [0056.910] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0056.910] lstrlenW (lpString="ccv_server.exe") returned 14 [0056.910] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0056.911] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0056.911] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0056.911] lstrlenW (lpString="creditservice.exe") returned 17 [0056.911] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0056.912] lstrlenW (lpString="edcsvr.exe") returned 10 [0056.912] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0056.912] lstrlenW (lpString="fpos.exe") returned 8 [0056.912] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0056.912] lstrlenW (lpString="isspos.exe") returned 10 [0056.912] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0056.913] lstrlenW (lpString="mxslipstream.exe") returned 16 [0056.913] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0056.913] lstrlenW (lpString="omnipos.exe") returned 11 [0056.913] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0056.913] lstrlenW (lpString="spcwin.exe") returned 10 [0056.913] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0056.914] lstrlenW (lpString="spgagentservice.exe") returned 19 [0056.914] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0056.914] lstrlenW (lpString="utg2.exe") returned 8 [0056.914] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="november_objects.exe")) returned 1 [0056.914] lstrlenW (lpString="november_objects.exe") returned 20 [0056.914] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vitamins_dealt.exe")) returned 1 [0056.915] lstrlenW (lpString="vitamins_dealt.exe") returned 18 [0056.915] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="peace_bite.exe")) returned 1 [0056.915] lstrlenW (lpString="peace_bite.exe") returned 14 [0056.915] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="earthquake forbidden waiting.exe")) returned 1 [0056.915] lstrlenW (lpString="earthquake forbidden waiting.exe") returned 32 [0056.915] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0056.916] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0056.916] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0056.916] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0056.916] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0056.916] lstrlenW (lpString="taskhost.exe") returned 12 [0056.916] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0056.917] lstrlenW (lpString="winhost.exe") returned 11 [0056.917] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa1c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0056.917] lstrlenW (lpString="cmd.exe") returned 7 [0056.917] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.917] lstrlenW (lpString="conhost.exe") returned 11 [0056.917] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x5b8, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0056.918] lstrlenW (lpString="vssadmin.exe") returned 12 [0056.918] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0056.918] lstrlenW (lpString="VSSVC.exe") returned 9 [0056.918] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.918] lstrlenW (lpString="svchost.exe") returned 11 [0056.918] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0056.919] CloseHandle (hObject=0x1a0) returned 1 [0056.919] Sleep (dwMilliseconds=0x1f4) [0057.433] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x675190 [0057.434] EnumServicesStatusExW (in: hSCManager=0x675190, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 0 [0057.434] GetLastError () returned 0xea [0057.434] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x12c6) returned 0x63f6d8 [0057.434] EnumServicesStatusExW (in: hSCManager=0x675190, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x63f6d8, cbBufSize=0x12c6, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x63f6d8, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 1 [0057.435] CloseServiceHandle (hSCObject=0x675190) returned 1 [0057.435] lstrlenW (lpString="Appinfo") returned 7 [0057.435] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0057.435] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0057.435] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0057.435] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0057.435] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0057.435] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0057.436] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0057.436] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0057.436] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0057.436] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0057.436] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0057.436] lstrlenW (lpString="AudioSrv") returned 8 [0057.436] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0057.436] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0057.436] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0057.436] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0057.436] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0057.436] lstrlenW (lpString="BFE") returned 3 [0057.436] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0057.436] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0057.436] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0057.436] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0057.436] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0057.436] lstrlenW (lpString="CryptSvc") returned 8 [0057.436] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0057.436] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0057.436] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0057.436] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0057.436] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0057.436] lstrlenW (lpString="CscService") returned 10 [0057.436] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0057.436] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0057.436] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0057.436] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0057.436] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0057.437] lstrlenW (lpString="DcomLaunch") returned 10 [0057.437] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0057.437] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0057.437] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0057.437] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0057.437] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0057.437] lstrlenW (lpString="Dhcp") returned 4 [0057.437] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0057.437] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0057.437] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0057.437] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0057.437] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0057.437] lstrlenW (lpString="Dnscache") returned 8 [0057.437] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0057.437] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0057.437] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0057.437] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0057.437] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0057.437] lstrlenW (lpString="DPS") returned 3 [0057.437] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0057.437] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0057.437] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0057.437] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0057.437] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0057.437] lstrlenW (lpString="eventlog") returned 8 [0057.437] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0057.437] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0057.437] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0057.437] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0057.438] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0057.438] lstrlenW (lpString="EventSystem") returned 11 [0057.438] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0057.438] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0057.438] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0057.438] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0057.438] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0057.438] lstrlenW (lpString="gpsvc") returned 5 [0057.438] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0057.438] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0057.438] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0057.438] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0057.438] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0057.438] lstrlenW (lpString="iphlpsvc") returned 8 [0057.438] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0057.438] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0057.438] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0057.438] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0057.438] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0057.438] lstrlenW (lpString="LanmanServer") returned 12 [0057.438] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0057.438] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0057.438] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0057.438] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0057.438] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0057.438] lstrlenW (lpString="LanmanWorkstation") returned 17 [0057.438] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0057.438] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0057.438] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0057.439] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0057.439] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0057.439] lstrlenW (lpString="lmhosts") returned 7 [0057.439] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0057.439] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0057.439] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0057.439] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0057.439] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0057.439] lstrlenW (lpString="MMCSS") returned 5 [0057.439] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0057.439] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0057.439] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0057.439] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0057.439] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0057.439] lstrlenW (lpString="MpsSvc") returned 6 [0057.439] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0057.439] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0057.439] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0057.439] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0057.439] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0057.439] lstrlenW (lpString="Netman") returned 6 [0057.439] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0057.439] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0057.439] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0057.439] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0057.439] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0057.439] lstrlenW (lpString="netprofm") returned 8 [0057.439] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0057.439] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0057.440] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0057.440] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0057.440] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0057.440] lstrlenW (lpString="NlaSvc") returned 6 [0057.440] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0057.440] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0057.440] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0057.440] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0057.440] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0057.440] lstrlenW (lpString="nsi") returned 3 [0057.440] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0057.440] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0057.440] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0057.440] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0057.440] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0057.440] lstrlenW (lpString="PcaSvc") returned 6 [0057.440] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0057.440] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0057.440] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0057.440] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0057.440] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0057.440] lstrlenW (lpString="PlugPlay") returned 8 [0057.440] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0057.440] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0057.440] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0057.440] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0057.440] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0057.440] lstrlenW (lpString="Power") returned 5 [0057.441] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0057.441] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0057.441] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0057.441] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0057.441] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0057.441] lstrlenW (lpString="ProfSvc") returned 7 [0057.441] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0057.441] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0057.441] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0057.441] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0057.441] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0057.441] lstrlenW (lpString="RpcEptMapper") returned 12 [0057.441] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0057.441] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0057.441] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0057.441] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0057.441] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0057.441] lstrlenW (lpString="RpcSs") returned 5 [0057.441] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0057.441] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0057.441] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0057.441] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0057.441] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0057.441] lstrlenW (lpString="SamSs") returned 5 [0057.441] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0057.441] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0057.441] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0057.441] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0057.442] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0057.442] lstrlenW (lpString="Schedule") returned 8 [0057.442] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0057.442] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0057.442] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0057.442] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0057.442] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0057.442] lstrlenW (lpString="SENS") returned 4 [0057.442] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0057.442] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0057.442] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0057.442] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0057.442] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0057.442] lstrlenW (lpString="ShellHWDetection") returned 16 [0057.442] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0057.442] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0057.442] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0057.442] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0057.442] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0057.442] lstrlenW (lpString="Spooler") returned 7 [0057.442] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0057.442] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0057.442] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0057.442] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0057.442] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0057.442] lstrlenW (lpString="swprv") returned 5 [0057.442] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0057.442] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0057.443] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0057.443] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0057.443] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0057.443] lstrlenW (lpString="SysMain") returned 7 [0057.443] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0057.443] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0057.443] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0057.443] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0057.443] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0057.443] lstrlenW (lpString="Themes") returned 6 [0057.443] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0057.443] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0057.443] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0057.443] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0057.443] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0057.443] lstrlenW (lpString="TrkWks") returned 6 [0057.443] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0057.443] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0057.443] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0057.443] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0057.443] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0057.443] lstrlenW (lpString="UxSms") returned 5 [0057.443] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0057.443] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0057.443] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0057.443] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0057.443] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0057.443] lstrlenW (lpString="VSS") returned 3 [0057.444] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0057.444] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0057.444] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0057.444] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0057.444] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0057.444] lstrlenW (lpString="WdiServiceHost") returned 14 [0057.444] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0057.444] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0057.444] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0057.444] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0057.444] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0057.444] lstrlenW (lpString="WdiSystemHost") returned 13 [0057.444] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0057.444] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0057.444] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0057.444] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0057.444] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0057.444] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0057.444] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0057.444] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0057.444] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0057.444] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0057.444] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0057.444] lstrlenW (lpString="Winmgmt") returned 7 [0057.444] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0057.444] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0057.444] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0057.445] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0057.445] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0057.445] lstrlenW (lpString="WPDBusEnum") returned 10 [0057.445] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0057.445] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0057.445] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0057.445] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0057.445] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0057.445] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63f6d8 | out: hHeap=0x5f0000) returned 1 [0057.445] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1a0 [0057.449] Process32FirstW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0057.449] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0057.449] lstrlenW (lpString="System") returned 6 [0057.449] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0057.449] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0057.449] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0057.449] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0057.449] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0057.449] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0057.449] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0057.449] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0057.450] lstrlenW (lpString="smss.exe") returned 8 [0057.450] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0057.450] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0057.450] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0057.450] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0057.450] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0057.450] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0057.450] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0057.450] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0057.450] lstrlenW (lpString="csrss.exe") returned 9 [0057.450] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0057.450] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0057.450] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0057.451] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0057.451] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0057.451] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0057.451] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0057.451] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0057.451] lstrlenW (lpString="wininit.exe") returned 11 [0057.451] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0057.451] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0057.451] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0057.451] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0057.452] lstrlenW (lpString="csrss.exe") returned 9 [0057.452] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0057.452] lstrlenW (lpString="winlogon.exe") returned 12 [0057.452] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0057.452] lstrlenW (lpString="services.exe") returned 12 [0057.452] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0057.453] lstrlenW (lpString="lsass.exe") returned 9 [0057.453] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0057.453] lstrlenW (lpString="lsm.exe") returned 7 [0057.453] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.453] lstrlenW (lpString="svchost.exe") returned 11 [0057.453] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.454] lstrlenW (lpString="svchost.exe") returned 11 [0057.454] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.454] lstrlenW (lpString="svchost.exe") returned 11 [0057.454] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.454] lstrlenW (lpString="svchost.exe") returned 11 [0057.455] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.455] lstrlenW (lpString="svchost.exe") returned 11 [0057.455] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0057.455] lstrlenW (lpString="audiodg.exe") returned 11 [0057.455] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.456] lstrlenW (lpString="svchost.exe") returned 11 [0057.456] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.456] lstrlenW (lpString="svchost.exe") returned 11 [0057.456] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0057.456] lstrlenW (lpString="dwm.exe") returned 7 [0057.456] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0057.457] lstrlenW (lpString="explorer.exe") returned 12 [0057.457] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0057.457] lstrlenW (lpString="spoolsv.exe") returned 11 [0057.457] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.457] lstrlenW (lpString="svchost.exe") returned 11 [0057.457] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0057.458] lstrlenW (lpString="taskhost.exe") returned 12 [0057.458] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0057.458] lstrlenW (lpString="taskeng.exe") returned 11 [0057.458] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="encryption-billing-finishing.exe")) returned 1 [0057.458] lstrlenW (lpString="encryption-billing-finishing.exe") returned 32 [0057.458] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="le_inn_ending.exe")) returned 1 [0057.459] lstrlenW (lpString="le_inn_ending.exe") returned 17 [0057.459] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="hung-automobiles-concerning.exe")) returned 1 [0057.459] lstrlenW (lpString="hung-automobiles-concerning.exe") returned 31 [0057.459] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="celebrateowen.exe")) returned 1 [0057.459] lstrlenW (lpString="celebrateowen.exe") returned 17 [0057.460] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="highlights.exe")) returned 1 [0057.460] lstrlenW (lpString="highlights.exe") returned 14 [0057.460] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="armorthunder.exe")) returned 1 [0057.460] lstrlenW (lpString="armorthunder.exe") returned 16 [0057.460] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sci_vietnam_baby.exe")) returned 1 [0057.461] lstrlenW (lpString="sci_vietnam_baby.exe") returned 20 [0057.461] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="root.exe")) returned 1 [0057.461] lstrlenW (lpString="root.exe") returned 8 [0057.461] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="searches.exe")) returned 1 [0057.461] lstrlenW (lpString="searches.exe") returned 12 [0057.461] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gnu.exe")) returned 1 [0057.462] lstrlenW (lpString="gnu.exe") returned 7 [0057.462] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lat differences.exe")) returned 1 [0057.462] lstrlenW (lpString="lat differences.exe") returned 19 [0057.462] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="wetdelayed.exe")) returned 1 [0057.462] lstrlenW (lpString="wetdelayed.exe") returned 14 [0057.462] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scarydm.exe")) returned 1 [0057.463] lstrlenW (lpString="scarydm.exe") returned 11 [0057.463] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="relating coating ride.exe")) returned 1 [0057.463] lstrlenW (lpString="relating coating ride.exe") returned 25 [0057.463] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="compressed.exe")) returned 1 [0057.463] lstrlenW (lpString="compressed.exe") returned 14 [0057.464] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x600, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="installing.exe")) returned 1 [0057.464] lstrlenW (lpString="installing.exe") returned 14 [0057.464] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="jewellerycoloradokijiji.exe")) returned 1 [0057.465] lstrlenW (lpString="jewellerycoloradokijiji.exe") returned 27 [0057.465] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="promote_counted_attempted.exe")) returned 1 [0057.465] lstrlenW (lpString="promote_counted_attempted.exe") returned 29 [0057.465] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0057.465] lstrlenW (lpString="3dftp.exe") returned 9 [0057.465] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0057.466] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0057.466] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0057.466] lstrlenW (lpString="alftp.exe") returned 9 [0057.466] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0057.466] lstrlenW (lpString="barca.exe") returned 9 [0057.466] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x664, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0057.467] lstrlenW (lpString="bitkinex.exe") returned 12 [0057.467] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0057.467] lstrlenW (lpString="coreftp.exe") returned 11 [0057.467] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0057.467] lstrlenW (lpString="far.exe") returned 7 [0057.468] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0057.468] lstrlenW (lpString="filezilla.exe") returned 13 [0057.468] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0057.468] lstrlenW (lpString="flashfxp.exe") returned 12 [0057.468] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0057.469] lstrlenW (lpString="fling.exe") returned 9 [0057.469] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0057.469] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0057.469] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0057.469] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0057.469] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0057.470] lstrlenW (lpString="icq.exe") returned 7 [0057.470] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0057.470] lstrlenW (lpString="leechftp.exe") returned 12 [0057.470] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0057.470] lstrlenW (lpString="ncftp.exe") returned 9 [0057.470] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0057.471] lstrlenW (lpString="notepad.exe") returned 11 [0057.471] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0057.471] lstrlenW (lpString="operamail.exe") returned 13 [0057.471] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0057.472] lstrlenW (lpString="pidgin.exe") returned 10 [0057.472] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0057.472] lstrlenW (lpString="scriptftp.exe") returned 13 [0057.472] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0057.473] lstrlenW (lpString="skype.exe") returned 9 [0057.473] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0057.473] lstrlenW (lpString="smartftp.exe") returned 12 [0057.473] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0057.474] lstrlenW (lpString="thunderbird.exe") returned 15 [0057.474] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0057.474] lstrlenW (lpString="totalcmd.exe") returned 12 [0057.474] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0057.475] lstrlenW (lpString="trillian.exe") returned 12 [0057.475] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0057.475] lstrlenW (lpString="webdrive.exe") returned 12 [0057.475] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0057.476] lstrlenW (lpString="whatsapp.exe") returned 12 [0057.476] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0057.476] lstrlenW (lpString="winscp.exe") returned 10 [0057.476] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0057.477] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0057.477] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0057.477] lstrlenW (lpString="active-charge.exe") returned 17 [0057.477] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0057.478] lstrlenW (lpString="accupos.exe") returned 11 [0057.478] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0057.478] lstrlenW (lpString="afr38.exe") returned 9 [0057.478] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0057.479] lstrlenW (lpString="aldelo.exe") returned 10 [0057.479] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0057.479] lstrlenW (lpString="ccv_server.exe") returned 14 [0057.479] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0057.480] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0057.480] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0057.480] lstrlenW (lpString="creditservice.exe") returned 17 [0057.480] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0057.481] lstrlenW (lpString="edcsvr.exe") returned 10 [0057.481] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0057.482] lstrlenW (lpString="fpos.exe") returned 8 [0057.482] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0057.482] lstrlenW (lpString="isspos.exe") returned 10 [0057.482] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0057.483] lstrlenW (lpString="mxslipstream.exe") returned 16 [0057.483] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0057.483] lstrlenW (lpString="omnipos.exe") returned 11 [0057.483] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0057.484] lstrlenW (lpString="spcwin.exe") returned 10 [0057.484] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0057.484] lstrlenW (lpString="spgagentservice.exe") returned 19 [0057.484] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0057.485] lstrlenW (lpString="utg2.exe") returned 8 [0057.485] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="november_objects.exe")) returned 1 [0057.485] lstrlenW (lpString="november_objects.exe") returned 20 [0057.485] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vitamins_dealt.exe")) returned 1 [0057.485] lstrlenW (lpString="vitamins_dealt.exe") returned 18 [0057.485] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="peace_bite.exe")) returned 1 [0057.486] lstrlenW (lpString="peace_bite.exe") returned 14 [0057.486] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="earthquake forbidden waiting.exe")) returned 1 [0057.486] lstrlenW (lpString="earthquake forbidden waiting.exe") returned 32 [0057.486] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0057.487] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0057.487] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0057.487] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0057.487] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0057.488] lstrlenW (lpString="taskhost.exe") returned 12 [0057.488] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0057.488] lstrlenW (lpString="winhost.exe") returned 11 [0057.488] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa1c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0057.488] lstrlenW (lpString="cmd.exe") returned 7 [0057.488] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0057.489] lstrlenW (lpString="conhost.exe") returned 11 [0057.489] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x5b8, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0057.489] lstrlenW (lpString="vssadmin.exe") returned 12 [0057.489] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0057.490] lstrlenW (lpString="VSSVC.exe") returned 9 [0057.490] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.490] lstrlenW (lpString="svchost.exe") returned 11 [0057.490] Process32NextW (in: hSnapshot=0x1a0, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0057.490] CloseHandle (hObject=0x1a0) returned 1 [0057.490] Sleep (dwMilliseconds=0x1f4) [0058.117] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x675190 [0058.117] EnumServicesStatusExW (in: hSCManager=0x675190, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 0 [0058.118] GetLastError () returned 0xea [0058.118] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x12c6) returned 0x63f6d8 [0058.118] EnumServicesStatusExW (in: hSCManager=0x675190, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x63f6d8, cbBufSize=0x12c6, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x63f6d8, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 1 [0058.118] CloseServiceHandle (hSCObject=0x675190) returned 1 [0058.119] lstrlenW (lpString="Appinfo") returned 7 [0058.119] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0058.119] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0058.119] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0058.119] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0058.119] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0058.119] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0058.119] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0058.119] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0058.119] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0058.119] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0058.119] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0058.119] lstrlenW (lpString="AudioSrv") returned 8 [0058.119] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0058.119] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0058.119] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0058.119] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0058.119] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0058.119] lstrlenW (lpString="BFE") returned 3 [0058.153] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0058.153] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0058.153] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0058.153] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0058.153] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0058.157] lstrlenW (lpString="CryptSvc") returned 8 [0058.157] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0058.157] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0058.161] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0058.161] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0058.161] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0058.166] lstrlenW (lpString="CscService") returned 10 [0058.166] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0058.169] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0058.169] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0058.169] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0058.173] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0058.173] lstrlenW (lpString="DcomLaunch") returned 10 [0058.173] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0058.176] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0058.176] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0058.176] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0058.176] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0058.176] lstrlenW (lpString="Dhcp") returned 4 [0058.176] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0058.179] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0058.179] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0058.179] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0058.179] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0058.183] lstrlenW (lpString="Dnscache") returned 8 [0058.183] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0058.183] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0058.187] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0058.187] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0058.187] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0058.191] lstrlenW (lpString="DPS") returned 3 [0058.191] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0058.191] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0058.191] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0058.191] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0058.191] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0058.191] lstrlenW (lpString="eventlog") returned 8 [0058.191] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0058.191] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0058.191] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0058.191] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0058.191] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0058.191] lstrlenW (lpString="EventSystem") returned 11 [0058.191] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0058.191] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0058.192] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0058.192] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0058.192] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0058.192] lstrlenW (lpString="gpsvc") returned 5 [0058.192] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0058.192] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0058.192] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0058.192] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0058.192] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0058.192] lstrlenW (lpString="iphlpsvc") returned 8 [0058.192] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0058.192] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0058.192] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0058.192] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0058.192] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0058.192] lstrlenW (lpString="LanmanServer") returned 12 [0058.192] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0058.192] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0058.192] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0058.192] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0058.192] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0058.192] lstrlenW (lpString="LanmanWorkstation") returned 17 [0058.192] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0058.192] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0058.192] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0058.192] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0058.192] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0058.193] lstrlenW (lpString="lmhosts") returned 7 [0058.193] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0058.193] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0058.193] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0058.193] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0058.193] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0058.193] lstrlenW (lpString="MMCSS") returned 5 [0058.193] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0058.193] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0058.193] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0058.193] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0058.193] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0058.193] lstrlenW (lpString="MpsSvc") returned 6 [0058.193] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0058.193] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0058.193] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0058.193] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0058.193] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0058.193] lstrlenW (lpString="Netman") returned 6 [0058.193] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0058.193] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0058.193] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0058.193] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0058.194] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0058.194] lstrlenW (lpString="netprofm") returned 8 [0058.194] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0058.194] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0058.194] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0058.194] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0058.194] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0058.194] lstrlenW (lpString="NlaSvc") returned 6 [0058.194] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0058.194] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0058.194] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0058.194] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0058.194] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0058.194] lstrlenW (lpString="nsi") returned 3 [0058.194] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0058.194] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0058.194] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0058.194] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0058.194] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0058.194] lstrlenW (lpString="PcaSvc") returned 6 [0058.194] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0058.194] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0058.194] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0058.194] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0058.194] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0058.194] lstrlenW (lpString="PlugPlay") returned 8 [0058.194] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0058.195] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0058.195] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0058.195] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0058.195] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0058.195] lstrlenW (lpString="Power") returned 5 [0058.195] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0058.195] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0058.195] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0058.195] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0058.195] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0058.195] lstrlenW (lpString="ProfSvc") returned 7 [0058.195] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0058.195] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0058.195] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0058.195] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0058.195] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0058.195] lstrlenW (lpString="RpcEptMapper") returned 12 [0058.195] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0058.195] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0058.195] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0058.195] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0058.195] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0058.195] lstrlenW (lpString="RpcSs") returned 5 [0058.195] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0058.195] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0058.195] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0058.195] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0058.196] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0058.196] lstrlenW (lpString="SamSs") returned 5 [0058.196] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0058.196] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0058.196] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0058.196] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0058.196] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0058.196] lstrlenW (lpString="Schedule") returned 8 [0058.196] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0058.196] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0058.196] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0058.196] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0058.196] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0058.196] lstrlenW (lpString="SENS") returned 4 [0058.196] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0058.196] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0058.196] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0058.196] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0058.196] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0058.196] lstrlenW (lpString="ShellHWDetection") returned 16 [0058.196] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0058.196] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0058.196] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0058.196] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0058.196] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0058.196] lstrlenW (lpString="Spooler") returned 7 [0058.196] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0058.197] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0058.197] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0058.197] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0058.197] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0058.197] lstrlenW (lpString="swprv") returned 5 [0058.197] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0058.197] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0058.197] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0058.197] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0058.197] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0058.197] lstrlenW (lpString="SysMain") returned 7 [0058.197] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0058.197] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0058.197] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0058.197] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0058.197] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0058.197] lstrlenW (lpString="Themes") returned 6 [0058.197] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0058.197] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0058.197] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0058.197] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0058.197] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0058.197] lstrlenW (lpString="TrkWks") returned 6 [0058.197] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0058.197] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0058.197] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0058.197] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0058.198] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0058.198] lstrlenW (lpString="UxSms") returned 5 [0058.198] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0058.198] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0058.198] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0058.198] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0058.198] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0058.198] lstrlenW (lpString="VSS") returned 3 [0058.198] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0058.198] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0058.198] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0058.198] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0058.198] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0058.198] lstrlenW (lpString="WdiServiceHost") returned 14 [0058.198] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0058.198] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0058.198] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0058.198] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0058.198] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0058.198] lstrlenW (lpString="WdiSystemHost") returned 13 [0058.198] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0058.198] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0058.198] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0058.198] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0058.198] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0058.199] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0058.199] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0058.199] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0058.199] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0058.199] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0058.199] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0058.199] lstrlenW (lpString="Winmgmt") returned 7 [0058.199] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0058.199] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0058.199] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0058.199] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0058.199] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0058.199] lstrlenW (lpString="WPDBusEnum") returned 10 [0058.199] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0058.199] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0058.199] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0058.199] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0058.199] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0058.199] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63f6d8 | out: hHeap=0x5f0000) returned 1 [0058.199] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x20c [0058.203] Process32FirstW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0058.204] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0058.204] lstrlenW (lpString="System") returned 6 [0058.204] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0058.204] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0058.204] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0058.204] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0058.204] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0058.204] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0058.204] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0058.204] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0058.204] lstrlenW (lpString="smss.exe") returned 8 [0058.204] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0058.204] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0058.204] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0058.205] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0058.205] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0058.205] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0058.205] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0058.205] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0058.205] lstrlenW (lpString="csrss.exe") returned 9 [0058.205] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0058.205] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0058.205] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0058.205] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0058.205] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0058.205] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0058.205] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0058.205] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0058.206] lstrlenW (lpString="wininit.exe") returned 11 [0058.206] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0058.206] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0058.206] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0058.206] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0058.206] lstrlenW (lpString="csrss.exe") returned 9 [0058.206] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0058.207] lstrlenW (lpString="winlogon.exe") returned 12 [0058.207] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0058.208] lstrlenW (lpString="services.exe") returned 12 [0058.208] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0058.208] lstrlenW (lpString="lsass.exe") returned 9 [0058.208] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0058.208] lstrlenW (lpString="lsm.exe") returned 7 [0058.208] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.209] lstrlenW (lpString="svchost.exe") returned 11 [0058.209] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.209] lstrlenW (lpString="svchost.exe") returned 11 [0058.209] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.209] lstrlenW (lpString="svchost.exe") returned 11 [0058.209] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.210] lstrlenW (lpString="svchost.exe") returned 11 [0058.210] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.210] lstrlenW (lpString="svchost.exe") returned 11 [0058.210] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0058.211] lstrlenW (lpString="audiodg.exe") returned 11 [0058.211] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.211] lstrlenW (lpString="svchost.exe") returned 11 [0058.211] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.211] lstrlenW (lpString="svchost.exe") returned 11 [0058.211] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0058.212] lstrlenW (lpString="dwm.exe") returned 7 [0058.212] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0058.212] lstrlenW (lpString="explorer.exe") returned 12 [0058.212] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0058.212] lstrlenW (lpString="spoolsv.exe") returned 11 [0058.213] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.213] lstrlenW (lpString="svchost.exe") returned 11 [0058.213] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0058.214] lstrlenW (lpString="taskhost.exe") returned 12 [0058.214] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0058.214] lstrlenW (lpString="taskeng.exe") returned 11 [0058.214] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="encryption-billing-finishing.exe")) returned 1 [0058.214] lstrlenW (lpString="encryption-billing-finishing.exe") returned 32 [0058.214] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="le_inn_ending.exe")) returned 1 [0058.215] lstrlenW (lpString="le_inn_ending.exe") returned 17 [0058.215] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="hung-automobiles-concerning.exe")) returned 1 [0058.215] lstrlenW (lpString="hung-automobiles-concerning.exe") returned 31 [0058.215] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="celebrateowen.exe")) returned 1 [0058.215] lstrlenW (lpString="celebrateowen.exe") returned 17 [0058.216] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="highlights.exe")) returned 1 [0058.216] lstrlenW (lpString="highlights.exe") returned 14 [0058.216] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="armorthunder.exe")) returned 1 [0058.216] lstrlenW (lpString="armorthunder.exe") returned 16 [0058.216] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sci_vietnam_baby.exe")) returned 1 [0058.217] lstrlenW (lpString="sci_vietnam_baby.exe") returned 20 [0058.217] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="root.exe")) returned 1 [0058.217] lstrlenW (lpString="root.exe") returned 8 [0058.217] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="searches.exe")) returned 1 [0058.217] lstrlenW (lpString="searches.exe") returned 12 [0058.217] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gnu.exe")) returned 1 [0058.218] lstrlenW (lpString="gnu.exe") returned 7 [0058.218] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lat differences.exe")) returned 1 [0058.218] lstrlenW (lpString="lat differences.exe") returned 19 [0058.218] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="wetdelayed.exe")) returned 1 [0058.219] lstrlenW (lpString="wetdelayed.exe") returned 14 [0058.219] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scarydm.exe")) returned 1 [0058.219] lstrlenW (lpString="scarydm.exe") returned 11 [0058.219] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="relating coating ride.exe")) returned 1 [0058.219] lstrlenW (lpString="relating coating ride.exe") returned 25 [0058.219] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="compressed.exe")) returned 1 [0058.220] lstrlenW (lpString="compressed.exe") returned 14 [0058.220] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x600, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="installing.exe")) returned 1 [0058.220] lstrlenW (lpString="installing.exe") returned 14 [0058.220] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="jewellerycoloradokijiji.exe")) returned 1 [0058.221] lstrlenW (lpString="jewellerycoloradokijiji.exe") returned 27 [0058.221] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="promote_counted_attempted.exe")) returned 1 [0058.221] lstrlenW (lpString="promote_counted_attempted.exe") returned 29 [0058.221] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0058.221] lstrlenW (lpString="3dftp.exe") returned 9 [0058.221] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0058.222] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0058.222] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0058.222] lstrlenW (lpString="alftp.exe") returned 9 [0058.222] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0058.223] lstrlenW (lpString="barca.exe") returned 9 [0058.223] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x664, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0058.223] lstrlenW (lpString="bitkinex.exe") returned 12 [0058.223] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0058.223] lstrlenW (lpString="coreftp.exe") returned 11 [0058.223] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0058.224] lstrlenW (lpString="far.exe") returned 7 [0058.224] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0058.224] lstrlenW (lpString="filezilla.exe") returned 13 [0058.224] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0058.225] lstrlenW (lpString="flashfxp.exe") returned 12 [0058.225] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0058.225] lstrlenW (lpString="fling.exe") returned 9 [0058.225] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0058.225] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0058.225] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0058.226] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0058.226] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0058.226] lstrlenW (lpString="icq.exe") returned 7 [0058.226] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0058.226] lstrlenW (lpString="leechftp.exe") returned 12 [0058.226] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0058.227] lstrlenW (lpString="ncftp.exe") returned 9 [0058.227] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0058.227] lstrlenW (lpString="notepad.exe") returned 11 [0058.227] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0058.228] lstrlenW (lpString="operamail.exe") returned 13 [0058.228] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0058.228] lstrlenW (lpString="pidgin.exe") returned 10 [0058.228] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0058.510] lstrlenW (lpString="scriptftp.exe") returned 13 [0058.510] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0058.510] lstrlenW (lpString="skype.exe") returned 9 [0058.510] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0058.511] lstrlenW (lpString="smartftp.exe") returned 12 [0058.511] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0058.511] lstrlenW (lpString="thunderbird.exe") returned 15 [0058.511] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0058.512] lstrlenW (lpString="totalcmd.exe") returned 12 [0058.512] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0058.512] lstrlenW (lpString="trillian.exe") returned 12 [0058.512] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0058.513] lstrlenW (lpString="webdrive.exe") returned 12 [0058.513] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0058.513] lstrlenW (lpString="whatsapp.exe") returned 12 [0058.513] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0058.514] lstrlenW (lpString="winscp.exe") returned 10 [0058.514] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0058.514] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0058.515] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0058.515] lstrlenW (lpString="active-charge.exe") returned 17 [0058.515] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0058.516] lstrlenW (lpString="accupos.exe") returned 11 [0058.516] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0058.516] lstrlenW (lpString="afr38.exe") returned 9 [0058.516] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0058.517] lstrlenW (lpString="aldelo.exe") returned 10 [0058.517] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0058.517] lstrlenW (lpString="ccv_server.exe") returned 14 [0058.517] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0058.517] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0058.517] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0058.518] lstrlenW (lpString="creditservice.exe") returned 17 [0058.518] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0058.518] lstrlenW (lpString="edcsvr.exe") returned 10 [0058.518] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0058.519] lstrlenW (lpString="fpos.exe") returned 8 [0058.519] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0058.519] lstrlenW (lpString="isspos.exe") returned 10 [0058.519] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0058.520] lstrlenW (lpString="mxslipstream.exe") returned 16 [0058.520] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0058.520] lstrlenW (lpString="omnipos.exe") returned 11 [0058.520] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0058.521] lstrlenW (lpString="spcwin.exe") returned 10 [0058.521] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0058.521] lstrlenW (lpString="spgagentservice.exe") returned 19 [0058.521] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0058.522] lstrlenW (lpString="utg2.exe") returned 8 [0058.522] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="november_objects.exe")) returned 1 [0058.522] lstrlenW (lpString="november_objects.exe") returned 20 [0058.522] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vitamins_dealt.exe")) returned 1 [0058.523] lstrlenW (lpString="vitamins_dealt.exe") returned 18 [0058.523] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="peace_bite.exe")) returned 1 [0058.523] lstrlenW (lpString="peace_bite.exe") returned 14 [0058.523] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="earthquake forbidden waiting.exe")) returned 1 [0058.524] lstrlenW (lpString="earthquake forbidden waiting.exe") returned 32 [0058.524] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0058.524] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0058.524] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0058.525] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0058.525] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0058.526] lstrlenW (lpString="taskhost.exe") returned 12 [0058.526] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0058.526] lstrlenW (lpString="winhost.exe") returned 11 [0058.526] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa1c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0058.527] lstrlenW (lpString="cmd.exe") returned 7 [0058.527] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0058.527] lstrlenW (lpString="conhost.exe") returned 11 [0058.527] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x5b8, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0058.528] lstrlenW (lpString="vssadmin.exe") returned 12 [0058.528] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0058.528] lstrlenW (lpString="VSSVC.exe") returned 9 [0058.528] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.528] lstrlenW (lpString="svchost.exe") returned 11 [0058.529] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0058.529] CloseHandle (hObject=0x20c) returned 1 [0058.529] Sleep (dwMilliseconds=0x1f4) [0059.092] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x675190 [0059.093] EnumServicesStatusExW (in: hSCManager=0x675190, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 0 [0059.093] GetLastError () returned 0xea [0059.093] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x12c6) returned 0x63f6d8 [0059.094] EnumServicesStatusExW (in: hSCManager=0x675190, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x63f6d8, cbBufSize=0x12c6, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x63f6d8, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 1 [0059.095] CloseServiceHandle (hSCObject=0x675190) returned 1 [0059.095] lstrlenW (lpString="Appinfo") returned 7 [0059.095] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0059.095] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0059.095] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0059.095] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0059.095] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0059.095] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0059.095] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0059.095] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0059.095] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0059.095] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0059.095] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0059.095] lstrlenW (lpString="AudioSrv") returned 8 [0059.095] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0059.095] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0059.096] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0059.096] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0059.096] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0059.096] lstrlenW (lpString="BFE") returned 3 [0059.096] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0059.096] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0059.096] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0059.096] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0059.096] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0059.096] lstrlenW (lpString="CryptSvc") returned 8 [0059.096] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0059.096] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0059.096] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0059.096] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0059.096] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0059.096] lstrlenW (lpString="CscService") returned 10 [0059.096] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0059.096] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0059.096] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0059.096] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0059.096] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0059.096] lstrlenW (lpString="DcomLaunch") returned 10 [0059.096] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0059.096] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0059.096] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0059.096] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0059.096] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0059.096] lstrlenW (lpString="Dhcp") returned 4 [0059.096] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0059.097] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0059.097] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0059.097] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0059.097] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0059.097] lstrlenW (lpString="Dnscache") returned 8 [0059.097] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0059.097] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0059.097] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0059.097] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0059.097] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0059.097] lstrlenW (lpString="DPS") returned 3 [0059.097] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0059.097] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0059.097] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0059.097] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0059.097] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0059.097] lstrlenW (lpString="eventlog") returned 8 [0059.097] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0059.097] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0059.097] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0059.097] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0059.097] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0059.097] lstrlenW (lpString="EventSystem") returned 11 [0059.097] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0059.097] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0059.097] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0059.097] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0059.097] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0059.097] lstrlenW (lpString="gpsvc") returned 5 [0059.097] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0059.097] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0059.097] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0059.097] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0059.097] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0059.097] lstrlenW (lpString="iphlpsvc") returned 8 [0059.098] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0059.098] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0059.098] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0059.098] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0059.098] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0059.098] lstrlenW (lpString="LanmanServer") returned 12 [0059.098] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0059.098] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0059.098] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0059.098] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0059.098] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0059.098] lstrlenW (lpString="LanmanWorkstation") returned 17 [0059.098] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0059.098] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0059.098] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0059.098] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0059.098] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0059.098] lstrlenW (lpString="lmhosts") returned 7 [0059.098] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0059.098] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0059.098] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0059.098] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0059.098] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0059.098] lstrlenW (lpString="MMCSS") returned 5 [0059.098] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0059.098] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0059.098] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0059.098] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0059.098] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0059.098] lstrlenW (lpString="MpsSvc") returned 6 [0059.098] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0059.098] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0059.098] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0059.099] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0059.099] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0059.099] lstrlenW (lpString="Netman") returned 6 [0059.099] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0059.099] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0059.099] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0059.099] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0059.099] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0059.099] lstrlenW (lpString="netprofm") returned 8 [0059.099] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0059.099] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0059.099] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0059.099] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0059.099] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0059.099] lstrlenW (lpString="NlaSvc") returned 6 [0059.099] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0059.099] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0059.099] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0059.099] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0059.099] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0059.099] lstrlenW (lpString="nsi") returned 3 [0059.099] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0059.099] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0059.099] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0059.099] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0059.099] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0059.099] lstrlenW (lpString="PcaSvc") returned 6 [0059.099] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0059.099] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0059.099] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0059.099] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0059.099] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0059.099] lstrlenW (lpString="PlugPlay") returned 8 [0059.100] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0059.100] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0059.100] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0059.100] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0059.100] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0059.100] lstrlenW (lpString="Power") returned 5 [0059.100] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0059.100] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0059.100] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0059.100] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0059.100] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0059.100] lstrlenW (lpString="ProfSvc") returned 7 [0059.100] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0059.100] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0059.100] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0059.100] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0059.100] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0059.100] lstrlenW (lpString="RpcEptMapper") returned 12 [0059.100] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0059.100] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0059.100] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0059.100] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0059.100] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0059.100] lstrlenW (lpString="RpcSs") returned 5 [0059.100] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0059.100] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0059.100] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0059.100] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0059.100] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0059.100] lstrlenW (lpString="SamSs") returned 5 [0059.100] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0059.100] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0059.100] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0059.101] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0059.101] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0059.101] lstrlenW (lpString="Schedule") returned 8 [0059.101] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0059.101] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0059.101] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0059.101] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0059.101] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0059.101] lstrlenW (lpString="SENS") returned 4 [0059.101] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0059.101] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0059.101] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0059.101] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0059.101] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0059.101] lstrlenW (lpString="ShellHWDetection") returned 16 [0059.101] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0059.101] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0059.101] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0059.101] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0059.101] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0059.101] lstrlenW (lpString="Spooler") returned 7 [0059.101] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0059.101] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0059.101] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0059.101] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0059.101] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0059.101] lstrlenW (lpString="swprv") returned 5 [0059.101] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0059.101] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0059.101] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0059.101] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0059.102] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0059.102] lstrlenW (lpString="SysMain") returned 7 [0059.102] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0059.102] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0059.102] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0059.102] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0059.102] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0059.102] lstrlenW (lpString="Themes") returned 6 [0059.102] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0059.102] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0059.102] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0059.102] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0059.102] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0059.102] lstrlenW (lpString="TrkWks") returned 6 [0059.102] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0059.102] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0059.102] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0059.102] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0059.102] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0059.102] lstrlenW (lpString="UxSms") returned 5 [0059.102] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0059.102] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0059.102] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0059.102] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0059.102] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0059.102] lstrlenW (lpString="VSS") returned 3 [0059.102] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0059.102] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0059.102] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0059.102] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0059.102] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0059.103] lstrlenW (lpString="WdiServiceHost") returned 14 [0059.103] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0059.103] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0059.103] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0059.103] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0059.103] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0059.103] lstrlenW (lpString="WdiSystemHost") returned 13 [0059.103] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0059.103] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0059.103] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0059.103] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0059.103] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0059.103] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0059.103] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0059.103] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0059.103] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0059.103] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0059.103] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0059.103] lstrlenW (lpString="Winmgmt") returned 7 [0059.103] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0059.103] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0059.103] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0059.103] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0059.103] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0059.103] lstrlenW (lpString="WPDBusEnum") returned 10 [0059.103] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0059.103] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0059.103] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0059.103] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0059.103] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0059.103] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63f6d8 | out: hHeap=0x5f0000) returned 1 [0059.104] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x20c [0059.110] Process32FirstW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0059.110] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0059.110] lstrlenW (lpString="System") returned 6 [0059.110] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0059.110] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0059.110] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0059.110] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0059.110] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0059.110] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0059.110] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0059.110] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0059.111] lstrlenW (lpString="smss.exe") returned 8 [0059.111] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0059.111] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0059.111] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0059.111] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0059.111] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0059.111] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0059.111] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0059.111] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0059.111] lstrlenW (lpString="csrss.exe") returned 9 [0059.111] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0059.111] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0059.111] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0059.111] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0059.111] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0059.111] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0059.111] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0059.111] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0059.112] lstrlenW (lpString="wininit.exe") returned 11 [0059.112] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0059.112] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0059.112] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0059.112] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0059.112] lstrlenW (lpString="csrss.exe") returned 9 [0059.112] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0059.112] lstrlenW (lpString="winlogon.exe") returned 12 [0059.112] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0059.113] lstrlenW (lpString="services.exe") returned 12 [0059.113] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0059.113] lstrlenW (lpString="lsass.exe") returned 9 [0059.113] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0059.113] lstrlenW (lpString="lsm.exe") returned 7 [0059.113] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0059.114] lstrlenW (lpString="svchost.exe") returned 11 [0059.114] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0059.114] lstrlenW (lpString="svchost.exe") returned 11 [0059.114] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0059.114] lstrlenW (lpString="svchost.exe") returned 11 [0059.115] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0059.115] lstrlenW (lpString="svchost.exe") returned 11 [0059.115] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0059.115] lstrlenW (lpString="svchost.exe") returned 11 [0059.115] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0059.116] lstrlenW (lpString="audiodg.exe") returned 11 [0059.116] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0059.116] lstrlenW (lpString="svchost.exe") returned 11 [0059.116] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0059.116] lstrlenW (lpString="svchost.exe") returned 11 [0059.117] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0059.117] lstrlenW (lpString="dwm.exe") returned 7 [0059.117] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0059.117] lstrlenW (lpString="explorer.exe") returned 12 [0059.117] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0059.118] lstrlenW (lpString="spoolsv.exe") returned 11 [0059.118] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0059.118] lstrlenW (lpString="svchost.exe") returned 11 [0059.119] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0059.119] lstrlenW (lpString="taskhost.exe") returned 12 [0059.119] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0059.119] lstrlenW (lpString="taskeng.exe") returned 11 [0059.119] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="encryption-billing-finishing.exe")) returned 1 [0059.120] lstrlenW (lpString="encryption-billing-finishing.exe") returned 32 [0059.120] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="le_inn_ending.exe")) returned 1 [0059.120] lstrlenW (lpString="le_inn_ending.exe") returned 17 [0059.120] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="hung-automobiles-concerning.exe")) returned 1 [0059.120] lstrlenW (lpString="hung-automobiles-concerning.exe") returned 31 [0059.120] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="celebrateowen.exe")) returned 1 [0059.121] lstrlenW (lpString="celebrateowen.exe") returned 17 [0059.121] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="highlights.exe")) returned 1 [0059.121] lstrlenW (lpString="highlights.exe") returned 14 [0059.121] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="armorthunder.exe")) returned 1 [0059.122] lstrlenW (lpString="armorthunder.exe") returned 16 [0059.122] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sci_vietnam_baby.exe")) returned 1 [0059.122] lstrlenW (lpString="sci_vietnam_baby.exe") returned 20 [0059.122] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="root.exe")) returned 1 [0059.122] lstrlenW (lpString="root.exe") returned 8 [0059.122] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="searches.exe")) returned 1 [0059.123] lstrlenW (lpString="searches.exe") returned 12 [0059.123] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gnu.exe")) returned 1 [0059.123] lstrlenW (lpString="gnu.exe") returned 7 [0059.123] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lat differences.exe")) returned 1 [0059.123] lstrlenW (lpString="lat differences.exe") returned 19 [0059.124] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="wetdelayed.exe")) returned 1 [0059.124] lstrlenW (lpString="wetdelayed.exe") returned 14 [0059.124] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scarydm.exe")) returned 1 [0059.124] lstrlenW (lpString="scarydm.exe") returned 11 [0059.124] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="relating coating ride.exe")) returned 1 [0059.125] lstrlenW (lpString="relating coating ride.exe") returned 25 [0059.125] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="compressed.exe")) returned 1 [0059.125] lstrlenW (lpString="compressed.exe") returned 14 [0059.125] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x600, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="installing.exe")) returned 1 [0059.125] lstrlenW (lpString="installing.exe") returned 14 [0059.125] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="jewellerycoloradokijiji.exe")) returned 1 [0059.126] lstrlenW (lpString="jewellerycoloradokijiji.exe") returned 27 [0059.126] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="promote_counted_attempted.exe")) returned 1 [0059.126] lstrlenW (lpString="promote_counted_attempted.exe") returned 29 [0059.126] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0059.126] lstrlenW (lpString="3dftp.exe") returned 9 [0059.126] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0059.127] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0059.127] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0059.127] lstrlenW (lpString="alftp.exe") returned 9 [0059.127] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0059.127] lstrlenW (lpString="barca.exe") returned 9 [0059.127] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x664, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0059.128] lstrlenW (lpString="bitkinex.exe") returned 12 [0059.128] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0059.128] lstrlenW (lpString="coreftp.exe") returned 11 [0059.128] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0059.128] lstrlenW (lpString="far.exe") returned 7 [0059.128] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0059.129] lstrlenW (lpString="filezilla.exe") returned 13 [0059.129] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0059.129] lstrlenW (lpString="flashfxp.exe") returned 12 [0059.129] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0059.129] lstrlenW (lpString="fling.exe") returned 9 [0059.129] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0059.130] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0059.130] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0059.130] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0059.130] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0059.131] lstrlenW (lpString="icq.exe") returned 7 [0059.131] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0059.131] lstrlenW (lpString="leechftp.exe") returned 12 [0059.131] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0059.131] lstrlenW (lpString="ncftp.exe") returned 9 [0059.131] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0059.132] lstrlenW (lpString="notepad.exe") returned 11 [0059.132] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0059.132] lstrlenW (lpString="operamail.exe") returned 13 [0059.132] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0059.133] lstrlenW (lpString="pidgin.exe") returned 10 [0059.133] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0059.133] lstrlenW (lpString="scriptftp.exe") returned 13 [0059.133] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0059.555] lstrlenW (lpString="skype.exe") returned 9 [0059.555] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0059.555] lstrlenW (lpString="smartftp.exe") returned 12 [0059.556] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0059.556] lstrlenW (lpString="thunderbird.exe") returned 15 [0059.556] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0059.557] lstrlenW (lpString="totalcmd.exe") returned 12 [0059.557] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0059.557] lstrlenW (lpString="trillian.exe") returned 12 [0059.557] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0059.558] lstrlenW (lpString="webdrive.exe") returned 12 [0059.558] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0059.558] lstrlenW (lpString="whatsapp.exe") returned 12 [0059.558] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0059.559] lstrlenW (lpString="winscp.exe") returned 10 [0059.559] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0059.559] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0059.560] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0059.560] lstrlenW (lpString="active-charge.exe") returned 17 [0059.560] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0059.561] lstrlenW (lpString="accupos.exe") returned 11 [0059.561] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0059.561] lstrlenW (lpString="afr38.exe") returned 9 [0059.561] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0059.562] lstrlenW (lpString="aldelo.exe") returned 10 [0059.562] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0059.562] lstrlenW (lpString="ccv_server.exe") returned 14 [0059.562] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0059.563] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0059.563] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0059.563] lstrlenW (lpString="creditservice.exe") returned 17 [0059.563] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0059.564] lstrlenW (lpString="edcsvr.exe") returned 10 [0059.564] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0059.564] lstrlenW (lpString="fpos.exe") returned 8 [0059.564] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0059.565] lstrlenW (lpString="isspos.exe") returned 10 [0059.565] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0059.565] lstrlenW (lpString="mxslipstream.exe") returned 16 [0059.565] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0059.565] lstrlenW (lpString="omnipos.exe") returned 11 [0059.565] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0059.566] lstrlenW (lpString="spcwin.exe") returned 10 [0059.566] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0059.566] lstrlenW (lpString="spgagentservice.exe") returned 19 [0059.566] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0059.567] lstrlenW (lpString="utg2.exe") returned 8 [0059.567] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="november_objects.exe")) returned 1 [0059.567] lstrlenW (lpString="november_objects.exe") returned 20 [0059.567] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vitamins_dealt.exe")) returned 1 [0059.567] lstrlenW (lpString="vitamins_dealt.exe") returned 18 [0059.568] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="peace_bite.exe")) returned 1 [0059.568] lstrlenW (lpString="peace_bite.exe") returned 14 [0059.568] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="earthquake forbidden waiting.exe")) returned 1 [0059.568] lstrlenW (lpString="earthquake forbidden waiting.exe") returned 32 [0059.568] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0059.569] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0059.569] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0059.569] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0059.569] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0059.570] lstrlenW (lpString="taskhost.exe") returned 12 [0059.570] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0059.584] lstrlenW (lpString="winhost.exe") returned 11 [0059.584] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa1c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0059.585] lstrlenW (lpString="cmd.exe") returned 7 [0059.585] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0059.585] lstrlenW (lpString="conhost.exe") returned 11 [0059.585] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x5b8, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0059.586] lstrlenW (lpString="vssadmin.exe") returned 12 [0059.586] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0059.586] lstrlenW (lpString="VSSVC.exe") returned 9 [0059.586] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0059.587] lstrlenW (lpString="svchost.exe") returned 11 [0059.587] Process32NextW (in: hSnapshot=0x20c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0059.587] CloseHandle (hObject=0x20c) returned 1 [0059.587] Sleep (dwMilliseconds=0x1f4) [0060.497] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x675190 [0060.532] EnumServicesStatusExW (in: hSCManager=0x675190, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 0 [0060.601] GetLastError () returned 0xea [0060.610] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x12c6) returned 0x6e1cf0 [0060.626] EnumServicesStatusExW (in: hSCManager=0x675190, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6e1cf0, cbBufSize=0x12c6, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6e1cf0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 1 [0060.696] CloseServiceHandle (hSCObject=0x675190) returned 1 [0060.696] lstrlenW (lpString="Appinfo") returned 7 [0060.696] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0060.696] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0060.696] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0060.696] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0060.696] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0060.696] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0060.696] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0060.696] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0060.696] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0060.696] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0060.696] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0060.697] lstrlenW (lpString="AudioSrv") returned 8 [0060.697] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0060.697] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0060.697] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0060.697] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0060.697] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0060.697] lstrlenW (lpString="BFE") returned 3 [0060.697] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0060.697] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0060.697] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0060.697] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0060.697] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0060.697] lstrlenW (lpString="CryptSvc") returned 8 [0060.697] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0060.697] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0060.697] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0060.697] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0060.697] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0060.697] lstrlenW (lpString="CscService") returned 10 [0060.697] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0060.697] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0060.698] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0060.698] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0060.698] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0060.698] lstrlenW (lpString="DcomLaunch") returned 10 [0060.698] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0060.698] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0060.698] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0060.698] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0060.698] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0060.698] lstrlenW (lpString="Dhcp") returned 4 [0060.698] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0060.698] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0060.698] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0060.698] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0060.698] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0060.698] lstrlenW (lpString="Dnscache") returned 8 [0060.698] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0060.698] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0060.698] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0060.698] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0060.698] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0060.698] lstrlenW (lpString="DPS") returned 3 [0060.698] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0060.698] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0060.698] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0060.698] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0060.699] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0060.699] lstrlenW (lpString="eventlog") returned 8 [0060.699] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0060.699] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0060.699] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0060.699] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0060.699] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0060.699] lstrlenW (lpString="EventSystem") returned 11 [0060.699] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0060.699] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0060.699] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0060.699] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0060.699] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0060.699] lstrlenW (lpString="gpsvc") returned 5 [0060.699] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0060.699] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0060.699] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0060.699] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0060.699] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0060.699] lstrlenW (lpString="iphlpsvc") returned 8 [0060.699] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0060.699] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0060.699] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0060.699] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0060.700] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0060.700] lstrlenW (lpString="LanmanServer") returned 12 [0060.700] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0060.700] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0060.700] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0060.700] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0060.700] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0060.700] lstrlenW (lpString="LanmanWorkstation") returned 17 [0060.700] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0060.700] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0060.700] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0060.700] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0060.700] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0060.700] lstrlenW (lpString="lmhosts") returned 7 [0060.700] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0060.700] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0060.700] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0060.700] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0060.700] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0060.700] lstrlenW (lpString="MMCSS") returned 5 [0060.700] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0060.700] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0060.700] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0060.701] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0060.701] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0060.701] lstrlenW (lpString="MpsSvc") returned 6 [0060.701] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0060.701] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0060.701] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0060.701] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0060.701] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0060.701] lstrlenW (lpString="Netman") returned 6 [0060.701] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0060.701] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0060.701] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0060.701] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0060.701] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0060.701] lstrlenW (lpString="netprofm") returned 8 [0060.701] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0060.701] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0060.701] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0060.701] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0060.701] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0060.701] lstrlenW (lpString="NlaSvc") returned 6 [0060.701] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0060.701] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0060.701] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0060.702] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0060.702] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0060.702] lstrlenW (lpString="nsi") returned 3 [0060.702] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0060.702] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0060.702] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0060.702] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0060.702] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0060.702] lstrlenW (lpString="PcaSvc") returned 6 [0060.702] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0060.702] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0060.702] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0060.702] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0060.702] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0060.702] lstrlenW (lpString="PlugPlay") returned 8 [0060.702] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0060.702] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0060.702] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0060.702] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0060.702] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0060.702] lstrlenW (lpString="Power") returned 5 [0060.702] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0060.702] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0060.702] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0060.702] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0060.702] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0060.703] lstrlenW (lpString="ProfSvc") returned 7 [0060.703] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0060.703] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0060.703] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0060.703] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0060.703] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0060.703] lstrlenW (lpString="RpcEptMapper") returned 12 [0060.703] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0060.703] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0060.703] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0060.703] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0060.703] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0060.703] lstrlenW (lpString="RpcSs") returned 5 [0060.703] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0060.703] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0060.703] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0060.703] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0060.703] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0060.703] lstrlenW (lpString="SamSs") returned 5 [0060.703] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0060.703] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0060.703] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0060.703] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0060.703] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0060.703] lstrlenW (lpString="Schedule") returned 8 [0060.703] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0060.704] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0060.704] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0060.704] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0060.704] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0060.704] lstrlenW (lpString="SENS") returned 4 [0060.704] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0060.704] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0060.704] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0060.704] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0060.704] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0060.704] lstrlenW (lpString="ShellHWDetection") returned 16 [0060.704] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0060.704] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0060.704] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0060.704] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0060.704] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0060.704] lstrlenW (lpString="Spooler") returned 7 [0060.704] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0060.704] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0060.704] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0060.704] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0060.704] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0060.704] lstrlenW (lpString="swprv") returned 5 [0060.704] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0060.704] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0060.705] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0060.705] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0060.705] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0060.705] lstrlenW (lpString="SysMain") returned 7 [0060.705] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0060.705] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0060.705] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0060.705] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0060.705] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0060.705] lstrlenW (lpString="Themes") returned 6 [0060.705] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0060.705] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0060.705] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0060.705] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0060.705] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0060.705] lstrlenW (lpString="TrkWks") returned 6 [0060.705] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0060.705] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0060.705] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0060.705] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0060.705] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0060.705] lstrlenW (lpString="UxSms") returned 5 [0060.706] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0060.706] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0060.706] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0060.706] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0060.706] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0060.706] lstrlenW (lpString="VSS") returned 3 [0060.706] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0060.706] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0060.706] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0060.706] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0060.706] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0060.706] lstrlenW (lpString="WdiServiceHost") returned 14 [0060.706] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0060.706] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0060.706] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0060.706] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0060.706] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0060.706] lstrlenW (lpString="WdiSystemHost") returned 13 [0060.706] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0060.706] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0060.706] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0060.706] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0060.706] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0060.707] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0060.707] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0060.707] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0060.707] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0060.707] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0060.707] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0060.707] lstrlenW (lpString="Winmgmt") returned 7 [0060.707] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0060.707] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0060.707] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0060.707] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0060.707] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0060.707] lstrlenW (lpString="WPDBusEnum") returned 10 [0060.707] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0060.707] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0060.707] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0060.707] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0060.707] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0060.707] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6e1cf0 | out: hHeap=0x5f0000) returned 1 [0060.707] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x19c [0060.712] Process32FirstW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0060.713] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0060.713] lstrlenW (lpString="System") returned 6 [0060.713] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0060.713] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0060.713] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0060.713] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0060.713] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0060.713] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0060.714] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0060.714] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0060.714] lstrlenW (lpString="smss.exe") returned 8 [0060.714] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0060.714] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0060.714] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0060.714] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0060.714] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0060.714] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0060.714] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0060.714] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0060.715] lstrlenW (lpString="csrss.exe") returned 9 [0060.715] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0060.715] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0060.715] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0060.715] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0060.715] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0060.715] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0060.715] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0060.715] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0060.715] lstrlenW (lpString="wininit.exe") returned 11 [0060.716] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0060.716] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0060.716] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0060.716] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0060.716] lstrlenW (lpString="csrss.exe") returned 9 [0060.716] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0060.717] lstrlenW (lpString="winlogon.exe") returned 12 [0060.717] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0060.717] lstrlenW (lpString="services.exe") returned 12 [0060.717] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0060.717] lstrlenW (lpString="lsass.exe") returned 9 [0060.718] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0060.718] lstrlenW (lpString="lsm.exe") returned 7 [0060.718] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.718] lstrlenW (lpString="svchost.exe") returned 11 [0060.718] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.719] lstrlenW (lpString="svchost.exe") returned 11 [0060.719] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.719] lstrlenW (lpString="svchost.exe") returned 11 [0060.719] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.720] lstrlenW (lpString="svchost.exe") returned 11 [0060.720] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.720] lstrlenW (lpString="svchost.exe") returned 11 [0060.720] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0060.720] lstrlenW (lpString="audiodg.exe") returned 11 [0060.720] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.721] lstrlenW (lpString="svchost.exe") returned 11 [0060.721] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.721] lstrlenW (lpString="svchost.exe") returned 11 [0060.721] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0060.722] lstrlenW (lpString="dwm.exe") returned 7 [0060.722] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0060.722] lstrlenW (lpString="explorer.exe") returned 12 [0060.722] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0060.723] lstrlenW (lpString="spoolsv.exe") returned 11 [0060.723] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.723] lstrlenW (lpString="svchost.exe") returned 11 [0060.723] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0060.723] lstrlenW (lpString="taskhost.exe") returned 12 [0060.723] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0060.724] lstrlenW (lpString="taskeng.exe") returned 11 [0060.724] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="encryption-billing-finishing.exe")) returned 1 [0060.724] lstrlenW (lpString="encryption-billing-finishing.exe") returned 32 [0060.724] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="le_inn_ending.exe")) returned 1 [0060.882] lstrlenW (lpString="le_inn_ending.exe") returned 17 [0060.882] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="hung-automobiles-concerning.exe")) returned 1 [0060.882] lstrlenW (lpString="hung-automobiles-concerning.exe") returned 31 [0060.882] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="celebrateowen.exe")) returned 1 [0060.883] lstrlenW (lpString="celebrateowen.exe") returned 17 [0060.883] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="highlights.exe")) returned 1 [0060.883] lstrlenW (lpString="highlights.exe") returned 14 [0060.883] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="armorthunder.exe")) returned 1 [0060.883] lstrlenW (lpString="armorthunder.exe") returned 16 [0060.883] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sci_vietnam_baby.exe")) returned 1 [0060.884] lstrlenW (lpString="sci_vietnam_baby.exe") returned 20 [0060.884] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="root.exe")) returned 1 [0060.884] lstrlenW (lpString="root.exe") returned 8 [0060.884] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="searches.exe")) returned 1 [0060.884] lstrlenW (lpString="searches.exe") returned 12 [0060.885] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gnu.exe")) returned 1 [0060.885] lstrlenW (lpString="gnu.exe") returned 7 [0060.885] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lat differences.exe")) returned 1 [0060.885] lstrlenW (lpString="lat differences.exe") returned 19 [0060.885] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="wetdelayed.exe")) returned 1 [0060.886] lstrlenW (lpString="wetdelayed.exe") returned 14 [0060.886] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scarydm.exe")) returned 1 [0060.886] lstrlenW (lpString="scarydm.exe") returned 11 [0060.886] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="relating coating ride.exe")) returned 1 [0060.887] lstrlenW (lpString="relating coating ride.exe") returned 25 [0060.887] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="compressed.exe")) returned 1 [0060.887] lstrlenW (lpString="compressed.exe") returned 14 [0060.887] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x600, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="installing.exe")) returned 1 [0060.887] lstrlenW (lpString="installing.exe") returned 14 [0060.887] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="jewellerycoloradokijiji.exe")) returned 1 [0060.888] lstrlenW (lpString="jewellerycoloradokijiji.exe") returned 27 [0060.888] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="promote_counted_attempted.exe")) returned 1 [0060.888] lstrlenW (lpString="promote_counted_attempted.exe") returned 29 [0060.888] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0060.888] lstrlenW (lpString="3dftp.exe") returned 9 [0060.888] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0060.889] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0060.889] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0060.889] lstrlenW (lpString="alftp.exe") returned 9 [0060.889] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0060.889] lstrlenW (lpString="barca.exe") returned 9 [0060.889] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x664, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0060.890] lstrlenW (lpString="bitkinex.exe") returned 12 [0060.890] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0060.890] lstrlenW (lpString="coreftp.exe") returned 11 [0060.890] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0060.890] lstrlenW (lpString="far.exe") returned 7 [0060.890] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0060.891] lstrlenW (lpString="filezilla.exe") returned 13 [0060.891] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0060.891] lstrlenW (lpString="flashfxp.exe") returned 12 [0060.891] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0060.891] lstrlenW (lpString="fling.exe") returned 9 [0060.891] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0060.892] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0060.892] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0060.892] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0060.892] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0060.892] lstrlenW (lpString="icq.exe") returned 7 [0060.893] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0060.893] lstrlenW (lpString="leechftp.exe") returned 12 [0060.893] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0060.894] lstrlenW (lpString="ncftp.exe") returned 9 [0060.894] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0060.894] lstrlenW (lpString="notepad.exe") returned 11 [0060.894] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0060.895] lstrlenW (lpString="operamail.exe") returned 13 [0060.895] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0060.895] lstrlenW (lpString="pidgin.exe") returned 10 [0060.895] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0060.896] lstrlenW (lpString="scriptftp.exe") returned 13 [0060.896] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0060.897] lstrlenW (lpString="skype.exe") returned 9 [0060.897] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0060.897] lstrlenW (lpString="smartftp.exe") returned 12 [0060.897] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0060.898] lstrlenW (lpString="thunderbird.exe") returned 15 [0060.898] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0060.898] lstrlenW (lpString="totalcmd.exe") returned 12 [0060.898] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0060.899] lstrlenW (lpString="trillian.exe") returned 12 [0060.899] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0060.899] lstrlenW (lpString="webdrive.exe") returned 12 [0060.899] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0060.900] lstrlenW (lpString="whatsapp.exe") returned 12 [0060.900] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0060.900] lstrlenW (lpString="winscp.exe") returned 10 [0060.900] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0060.901] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0060.901] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0060.901] lstrlenW (lpString="active-charge.exe") returned 17 [0060.901] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0060.901] lstrlenW (lpString="accupos.exe") returned 11 [0060.901] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0060.902] lstrlenW (lpString="afr38.exe") returned 9 [0060.902] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0060.902] lstrlenW (lpString="aldelo.exe") returned 10 [0060.902] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0060.903] lstrlenW (lpString="ccv_server.exe") returned 14 [0060.903] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0060.903] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0060.903] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0060.903] lstrlenW (lpString="creditservice.exe") returned 17 [0060.903] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0060.904] lstrlenW (lpString="edcsvr.exe") returned 10 [0060.904] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0060.904] lstrlenW (lpString="fpos.exe") returned 8 [0060.904] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0060.905] lstrlenW (lpString="isspos.exe") returned 10 [0060.905] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0060.905] lstrlenW (lpString="mxslipstream.exe") returned 16 [0060.905] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0060.905] lstrlenW (lpString="omnipos.exe") returned 11 [0060.905] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0060.906] lstrlenW (lpString="spcwin.exe") returned 10 [0060.906] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0060.906] lstrlenW (lpString="spgagentservice.exe") returned 19 [0060.906] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0060.907] lstrlenW (lpString="utg2.exe") returned 8 [0060.907] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="november_objects.exe")) returned 1 [0060.907] lstrlenW (lpString="november_objects.exe") returned 20 [0060.907] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vitamins_dealt.exe")) returned 1 [0060.907] lstrlenW (lpString="vitamins_dealt.exe") returned 18 [0060.908] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="peace_bite.exe")) returned 1 [0060.908] lstrlenW (lpString="peace_bite.exe") returned 14 [0060.908] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="earthquake forbidden waiting.exe")) returned 1 [0060.908] lstrlenW (lpString="earthquake forbidden waiting.exe") returned 32 [0060.908] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0060.909] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0060.909] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0060.909] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0060.909] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0060.909] lstrlenW (lpString="taskhost.exe") returned 12 [0060.909] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0060.910] lstrlenW (lpString="winhost.exe") returned 11 [0060.910] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa1c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0060.910] lstrlenW (lpString="cmd.exe") returned 7 [0060.910] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0060.910] lstrlenW (lpString="conhost.exe") returned 11 [0060.910] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x5b8, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0060.911] lstrlenW (lpString="vssadmin.exe") returned 12 [0060.911] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0060.911] lstrlenW (lpString="VSSVC.exe") returned 9 [0060.911] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.912] lstrlenW (lpString="svchost.exe") returned 11 [0060.912] Process32NextW (in: hSnapshot=0x19c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0060.913] CloseHandle (hObject=0x19c) returned 1 [0060.913] Sleep (dwMilliseconds=0x1f4) [0061.511] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x675190 [0061.511] EnumServicesStatusExW (in: hSCManager=0x675190, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 0 [0061.512] GetLastError () returned 0xea [0061.512] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x12c6) returned 0x6e1cf0 [0061.512] EnumServicesStatusExW (in: hSCManager=0x675190, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6e1cf0, cbBufSize=0x12c6, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6e1cf0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 1 [0061.513] CloseServiceHandle (hSCObject=0x675190) returned 1 [0061.513] lstrlenW (lpString="Appinfo") returned 7 [0061.513] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0061.513] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0061.513] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0061.513] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0061.513] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0061.513] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0061.513] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0061.513] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0061.514] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0061.514] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0061.514] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0061.514] lstrlenW (lpString="AudioSrv") returned 8 [0061.514] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0061.514] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0061.514] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0061.514] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0061.514] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0061.514] lstrlenW (lpString="BFE") returned 3 [0061.514] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0061.514] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0061.514] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0061.514] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0061.514] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0061.514] lstrlenW (lpString="CryptSvc") returned 8 [0061.514] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0061.514] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0061.514] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0061.514] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0061.514] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0061.514] lstrlenW (lpString="CscService") returned 10 [0061.514] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0061.514] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0061.514] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0061.514] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0061.514] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0061.514] lstrlenW (lpString="DcomLaunch") returned 10 [0061.514] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0061.514] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0061.514] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0061.514] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0061.514] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0061.514] lstrlenW (lpString="Dhcp") returned 4 [0061.514] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0061.515] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0061.515] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0061.515] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0061.515] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0061.515] lstrlenW (lpString="Dnscache") returned 8 [0061.515] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0061.515] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0061.515] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0061.515] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0061.515] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0061.515] lstrlenW (lpString="DPS") returned 3 [0061.515] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0061.515] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0061.515] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0061.515] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0061.515] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0061.515] lstrlenW (lpString="eventlog") returned 8 [0061.515] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0061.515] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0061.515] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0061.515] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0061.515] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0061.515] lstrlenW (lpString="EventSystem") returned 11 [0061.515] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0061.515] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0061.515] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0061.515] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0061.515] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0061.515] lstrlenW (lpString="gpsvc") returned 5 [0061.515] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0061.515] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0061.515] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0061.515] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0061.515] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0061.515] lstrlenW (lpString="iphlpsvc") returned 8 [0061.516] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0061.516] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0061.516] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0061.516] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0061.516] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0061.516] lstrlenW (lpString="LanmanServer") returned 12 [0061.516] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0061.516] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0061.516] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0061.516] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0061.516] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0061.516] lstrlenW (lpString="LanmanWorkstation") returned 17 [0061.516] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0061.516] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0061.516] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0061.516] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0061.516] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0061.516] lstrlenW (lpString="lmhosts") returned 7 [0061.516] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0061.516] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0061.516] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0061.516] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0061.516] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0061.516] lstrlenW (lpString="MMCSS") returned 5 [0061.516] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0061.516] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0061.516] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0061.516] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0061.516] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0061.516] lstrlenW (lpString="MpsSvc") returned 6 [0061.516] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0061.517] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0061.517] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0061.517] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0061.517] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0061.517] lstrlenW (lpString="Netman") returned 6 [0061.517] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0061.517] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0061.517] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0061.517] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0061.517] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0061.517] lstrlenW (lpString="netprofm") returned 8 [0061.517] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0061.517] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0061.517] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0061.517] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0061.517] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0061.517] lstrlenW (lpString="NlaSvc") returned 6 [0061.517] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0061.517] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0061.517] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0061.517] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0061.517] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0061.517] lstrlenW (lpString="nsi") returned 3 [0061.517] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0061.517] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0061.517] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0061.518] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0061.518] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0061.518] lstrlenW (lpString="PcaSvc") returned 6 [0061.518] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0061.518] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0061.518] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0061.518] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0061.518] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0061.518] lstrlenW (lpString="PlugPlay") returned 8 [0061.518] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0061.518] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0061.518] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0061.518] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0061.518] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0061.518] lstrlenW (lpString="Power") returned 5 [0061.518] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0061.518] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0061.518] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0061.518] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0061.518] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0061.518] lstrlenW (lpString="ProfSvc") returned 7 [0061.518] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0061.518] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0061.518] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0061.518] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0061.518] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0061.519] lstrlenW (lpString="RpcEptMapper") returned 12 [0061.519] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0061.519] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0061.519] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0061.519] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0061.519] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0061.519] lstrlenW (lpString="RpcSs") returned 5 [0061.519] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0061.519] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0061.519] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0061.519] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0061.519] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0061.519] lstrlenW (lpString="SamSs") returned 5 [0061.519] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0061.519] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0061.519] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0061.519] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0061.519] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0061.519] lstrlenW (lpString="Schedule") returned 8 [0061.519] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0061.519] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0061.519] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0061.519] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0061.519] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0061.519] lstrlenW (lpString="SENS") returned 4 [0061.519] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0061.519] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0061.520] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0061.520] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0061.520] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0061.520] lstrlenW (lpString="ShellHWDetection") returned 16 [0061.520] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0061.520] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0061.520] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0061.520] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0061.520] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0061.520] lstrlenW (lpString="Spooler") returned 7 [0061.520] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0061.520] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0061.520] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0061.520] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0061.520] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0061.520] lstrlenW (lpString="swprv") returned 5 [0061.520] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0061.520] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0061.520] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0061.520] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0061.520] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0061.520] lstrlenW (lpString="SysMain") returned 7 [0061.520] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0061.520] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0061.520] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0061.520] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0061.521] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0061.521] lstrlenW (lpString="Themes") returned 6 [0061.521] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0061.521] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0061.521] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0061.521] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0061.521] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0061.521] lstrlenW (lpString="TrkWks") returned 6 [0061.521] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0061.521] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0061.521] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0061.521] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0061.521] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0061.521] lstrlenW (lpString="UxSms") returned 5 [0061.521] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0061.521] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0061.521] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0061.521] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0061.521] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0061.521] lstrlenW (lpString="VSS") returned 3 [0061.521] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0061.521] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0061.521] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0061.521] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0061.521] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0061.521] lstrlenW (lpString="WdiServiceHost") returned 14 [0061.521] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0061.522] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0061.522] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0061.522] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0061.522] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0061.522] lstrlenW (lpString="WdiSystemHost") returned 13 [0061.522] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0061.522] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0061.522] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0061.522] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0061.522] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0061.522] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0061.522] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0061.522] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0061.522] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0061.522] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0061.522] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0061.522] lstrlenW (lpString="Winmgmt") returned 7 [0061.522] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0061.522] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0061.522] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0061.522] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0061.522] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0061.522] lstrlenW (lpString="WPDBusEnum") returned 10 [0061.522] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0061.522] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0061.522] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0061.522] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0061.523] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0061.523] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6e1cf0 | out: hHeap=0x5f0000) returned 1 [0061.523] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x210 [0061.526] Process32FirstW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0061.527] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0061.527] lstrlenW (lpString="System") returned 6 [0061.527] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0061.527] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0061.527] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0061.527] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0061.527] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0061.527] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0061.527] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0061.527] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0061.528] lstrlenW (lpString="smss.exe") returned 8 [0061.528] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0061.528] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0061.528] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0061.528] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0061.528] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0061.528] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0061.528] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0061.528] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0061.528] lstrlenW (lpString="csrss.exe") returned 9 [0061.528] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0061.528] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0061.528] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0061.528] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0061.528] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0061.528] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0061.528] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0061.528] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0061.529] lstrlenW (lpString="wininit.exe") returned 11 [0061.529] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0061.529] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0061.529] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0061.529] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0061.529] lstrlenW (lpString="csrss.exe") returned 9 [0061.529] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0061.529] lstrlenW (lpString="winlogon.exe") returned 12 [0061.529] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0061.530] lstrlenW (lpString="services.exe") returned 12 [0061.530] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0061.530] lstrlenW (lpString="lsass.exe") returned 9 [0061.530] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0061.530] lstrlenW (lpString="lsm.exe") returned 7 [0061.530] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0061.530] lstrlenW (lpString="svchost.exe") returned 11 [0061.531] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0061.531] lstrlenW (lpString="svchost.exe") returned 11 [0061.531] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0061.531] lstrlenW (lpString="svchost.exe") returned 11 [0061.531] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0061.531] lstrlenW (lpString="svchost.exe") returned 11 [0061.531] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0061.532] lstrlenW (lpString="svchost.exe") returned 11 [0061.532] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0061.532] lstrlenW (lpString="audiodg.exe") returned 11 [0061.532] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0061.532] lstrlenW (lpString="svchost.exe") returned 11 [0061.532] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0061.533] lstrlenW (lpString="svchost.exe") returned 11 [0061.533] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0061.533] lstrlenW (lpString="dwm.exe") returned 7 [0061.533] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0061.533] lstrlenW (lpString="explorer.exe") returned 12 [0061.533] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0061.533] lstrlenW (lpString="spoolsv.exe") returned 11 [0061.534] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0061.534] lstrlenW (lpString="svchost.exe") returned 11 [0061.534] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0061.534] lstrlenW (lpString="taskhost.exe") returned 12 [0061.534] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0061.534] lstrlenW (lpString="taskeng.exe") returned 11 [0061.534] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="encryption-billing-finishing.exe")) returned 1 [0061.535] lstrlenW (lpString="encryption-billing-finishing.exe") returned 32 [0061.535] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="le_inn_ending.exe")) returned 1 [0061.535] lstrlenW (lpString="le_inn_ending.exe") returned 17 [0061.535] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="hung-automobiles-concerning.exe")) returned 1 [0061.535] lstrlenW (lpString="hung-automobiles-concerning.exe") returned 31 [0061.535] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="celebrateowen.exe")) returned 1 [0061.536] lstrlenW (lpString="celebrateowen.exe") returned 17 [0061.536] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="highlights.exe")) returned 1 [0061.536] lstrlenW (lpString="highlights.exe") returned 14 [0061.537] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="armorthunder.exe")) returned 1 [0061.537] lstrlenW (lpString="armorthunder.exe") returned 16 [0061.537] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sci_vietnam_baby.exe")) returned 1 [0061.537] lstrlenW (lpString="sci_vietnam_baby.exe") returned 20 [0061.537] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="root.exe")) returned 1 [0061.537] lstrlenW (lpString="root.exe") returned 8 [0061.537] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="searches.exe")) returned 1 [0061.538] lstrlenW (lpString="searches.exe") returned 12 [0061.538] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gnu.exe")) returned 1 [0061.538] lstrlenW (lpString="gnu.exe") returned 7 [0061.538] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lat differences.exe")) returned 1 [0061.538] lstrlenW (lpString="lat differences.exe") returned 19 [0061.538] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="wetdelayed.exe")) returned 1 [0061.539] lstrlenW (lpString="wetdelayed.exe") returned 14 [0061.539] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scarydm.exe")) returned 1 [0061.539] lstrlenW (lpString="scarydm.exe") returned 11 [0061.539] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="relating coating ride.exe")) returned 1 [0061.539] lstrlenW (lpString="relating coating ride.exe") returned 25 [0061.539] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="compressed.exe")) returned 1 [0061.539] lstrlenW (lpString="compressed.exe") returned 14 [0061.540] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x600, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="installing.exe")) returned 1 [0061.540] lstrlenW (lpString="installing.exe") returned 14 [0061.540] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="jewellerycoloradokijiji.exe")) returned 1 [0061.540] lstrlenW (lpString="jewellerycoloradokijiji.exe") returned 27 [0061.540] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="promote_counted_attempted.exe")) returned 1 [0061.540] lstrlenW (lpString="promote_counted_attempted.exe") returned 29 [0061.540] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0061.541] lstrlenW (lpString="3dftp.exe") returned 9 [0061.541] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0061.541] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0061.541] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0061.541] lstrlenW (lpString="alftp.exe") returned 9 [0061.541] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0061.542] lstrlenW (lpString="barca.exe") returned 9 [0061.542] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x664, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0061.542] lstrlenW (lpString="bitkinex.exe") returned 12 [0061.542] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0061.542] lstrlenW (lpString="coreftp.exe") returned 11 [0061.542] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0061.542] lstrlenW (lpString="far.exe") returned 7 [0061.543] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0061.543] lstrlenW (lpString="filezilla.exe") returned 13 [0061.543] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0061.543] lstrlenW (lpString="flashfxp.exe") returned 12 [0061.543] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0061.543] lstrlenW (lpString="fling.exe") returned 9 [0061.543] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0061.544] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0061.544] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0061.544] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0061.544] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0061.544] lstrlenW (lpString="icq.exe") returned 7 [0061.544] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0061.545] lstrlenW (lpString="leechftp.exe") returned 12 [0061.545] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0061.545] lstrlenW (lpString="ncftp.exe") returned 9 [0061.545] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0061.545] lstrlenW (lpString="notepad.exe") returned 11 [0061.545] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0061.546] lstrlenW (lpString="operamail.exe") returned 13 [0061.546] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0061.546] lstrlenW (lpString="pidgin.exe") returned 10 [0061.546] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0061.546] lstrlenW (lpString="scriptftp.exe") returned 13 [0061.546] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0061.547] lstrlenW (lpString="skype.exe") returned 9 [0061.547] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0061.547] lstrlenW (lpString="smartftp.exe") returned 12 [0061.547] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0061.548] lstrlenW (lpString="thunderbird.exe") returned 15 [0061.548] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0061.548] lstrlenW (lpString="totalcmd.exe") returned 12 [0061.548] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0061.548] lstrlenW (lpString="trillian.exe") returned 12 [0061.548] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0061.549] lstrlenW (lpString="webdrive.exe") returned 12 [0061.549] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0061.549] lstrlenW (lpString="whatsapp.exe") returned 12 [0061.549] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0061.550] lstrlenW (lpString="winscp.exe") returned 10 [0061.550] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0061.550] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0061.550] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0061.550] lstrlenW (lpString="active-charge.exe") returned 17 [0061.551] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0061.551] lstrlenW (lpString="accupos.exe") returned 11 [0061.551] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0062.273] lstrlenW (lpString="afr38.exe") returned 9 [0062.274] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0062.274] lstrlenW (lpString="aldelo.exe") returned 10 [0062.274] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0062.275] lstrlenW (lpString="ccv_server.exe") returned 14 [0062.275] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0062.275] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0062.275] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0062.275] lstrlenW (lpString="creditservice.exe") returned 17 [0062.275] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0062.276] lstrlenW (lpString="edcsvr.exe") returned 10 [0062.276] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0062.276] lstrlenW (lpString="fpos.exe") returned 8 [0062.276] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0062.277] lstrlenW (lpString="isspos.exe") returned 10 [0062.277] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0062.277] lstrlenW (lpString="mxslipstream.exe") returned 16 [0062.277] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0062.277] lstrlenW (lpString="omnipos.exe") returned 11 [0062.277] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0062.278] lstrlenW (lpString="spcwin.exe") returned 10 [0062.278] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0062.278] lstrlenW (lpString="spgagentservice.exe") returned 19 [0062.278] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0062.278] lstrlenW (lpString="utg2.exe") returned 8 [0062.279] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="november_objects.exe")) returned 1 [0062.279] lstrlenW (lpString="november_objects.exe") returned 20 [0062.279] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vitamins_dealt.exe")) returned 1 [0062.279] lstrlenW (lpString="vitamins_dealt.exe") returned 18 [0062.279] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="peace_bite.exe")) returned 1 [0062.280] lstrlenW (lpString="peace_bite.exe") returned 14 [0062.280] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="earthquake forbidden waiting.exe")) returned 1 [0062.280] lstrlenW (lpString="earthquake forbidden waiting.exe") returned 32 [0062.280] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0062.280] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0062.280] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0062.281] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0062.281] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0062.281] lstrlenW (lpString="taskhost.exe") returned 12 [0062.281] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0062.281] lstrlenW (lpString="winhost.exe") returned 11 [0062.281] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa1c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0062.282] lstrlenW (lpString="cmd.exe") returned 7 [0062.282] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0062.282] lstrlenW (lpString="conhost.exe") returned 11 [0062.282] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x5b8, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0062.282] lstrlenW (lpString="vssadmin.exe") returned 12 [0062.283] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0062.283] lstrlenW (lpString="VSSVC.exe") returned 9 [0062.283] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.283] lstrlenW (lpString="svchost.exe") returned 11 [0062.283] Process32NextW (in: hSnapshot=0x210, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0062.283] CloseHandle (hObject=0x210) returned 1 [0062.284] Sleep (dwMilliseconds=0x1f4) [0062.989] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x675190 [0062.990] EnumServicesStatusExW (in: hSCManager=0x675190, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 0 [0062.991] GetLastError () returned 0xea [0062.991] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x12c6) returned 0x6e1cf0 [0062.991] EnumServicesStatusExW (in: hSCManager=0x675190, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6e1cf0, cbBufSize=0x12c6, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6e1cf0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 1 [0062.992] CloseServiceHandle (hSCObject=0x675190) returned 1 [0062.992] lstrlenW (lpString="Appinfo") returned 7 [0062.992] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0062.992] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0062.992] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0062.992] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0062.992] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0062.992] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0062.992] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0062.992] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0062.992] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0062.992] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0062.992] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0062.992] lstrlenW (lpString="AudioSrv") returned 8 [0062.992] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0062.992] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0062.992] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0062.992] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0062.992] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0062.992] lstrlenW (lpString="BFE") returned 3 [0062.992] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0062.993] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0062.993] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0062.993] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0062.993] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0062.993] lstrlenW (lpString="CryptSvc") returned 8 [0062.993] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0062.993] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0062.993] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0062.993] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0062.993] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0062.993] lstrlenW (lpString="CscService") returned 10 [0062.993] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0062.993] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0062.993] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0062.993] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0062.993] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0062.993] lstrlenW (lpString="DcomLaunch") returned 10 [0062.993] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0062.993] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0062.993] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0062.993] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0062.993] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0062.993] lstrlenW (lpString="Dhcp") returned 4 [0062.993] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0062.993] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0062.993] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0062.993] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0062.993] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0062.993] lstrlenW (lpString="Dnscache") returned 8 [0062.993] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0062.993] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0062.993] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0062.993] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0062.994] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0062.994] lstrlenW (lpString="DPS") returned 3 [0062.994] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0062.994] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0062.994] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0062.994] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0062.994] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0062.994] lstrlenW (lpString="eventlog") returned 8 [0062.994] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0062.994] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0062.994] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0062.994] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0062.994] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0062.994] lstrlenW (lpString="EventSystem") returned 11 [0062.994] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0062.994] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0062.994] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0062.994] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0062.994] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0062.994] lstrlenW (lpString="gpsvc") returned 5 [0062.994] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0062.994] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0062.994] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0062.994] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0062.994] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0062.994] lstrlenW (lpString="iphlpsvc") returned 8 [0062.994] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0062.994] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0062.994] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0062.994] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0062.994] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0062.994] lstrlenW (lpString="LanmanServer") returned 12 [0062.994] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0062.994] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0062.995] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0062.995] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0062.995] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0062.995] lstrlenW (lpString="LanmanWorkstation") returned 17 [0062.995] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0062.995] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0062.995] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0062.995] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0062.995] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0062.995] lstrlenW (lpString="lmhosts") returned 7 [0062.995] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0062.995] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0062.995] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0062.995] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0062.995] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0062.995] lstrlenW (lpString="MMCSS") returned 5 [0062.995] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0062.995] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0062.995] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0062.995] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0062.995] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0062.995] lstrlenW (lpString="MpsSvc") returned 6 [0062.995] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0062.995] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0062.995] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0062.995] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0062.995] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0062.995] lstrlenW (lpString="Netman") returned 6 [0062.995] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0062.995] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0062.995] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0062.995] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0062.995] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0062.995] lstrlenW (lpString="netprofm") returned 8 [0062.995] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0062.995] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0062.996] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0062.996] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0062.996] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0062.996] lstrlenW (lpString="NlaSvc") returned 6 [0062.996] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0062.996] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0062.996] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0062.996] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0062.996] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0062.996] lstrlenW (lpString="nsi") returned 3 [0062.996] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0062.996] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0062.996] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0062.996] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0062.996] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0062.996] lstrlenW (lpString="PcaSvc") returned 6 [0062.996] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0062.996] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0062.996] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0062.996] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0062.996] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0062.996] lstrlenW (lpString="PlugPlay") returned 8 [0062.996] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0062.996] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0062.996] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0062.996] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0062.996] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0062.996] lstrlenW (lpString="Power") returned 5 [0062.996] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0062.996] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0062.996] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0062.996] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0062.996] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0062.996] lstrlenW (lpString="ProfSvc") returned 7 [0062.996] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0062.996] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0062.997] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0062.997] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0062.997] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0062.997] lstrlenW (lpString="RpcEptMapper") returned 12 [0062.997] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0062.997] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0062.997] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0062.997] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0062.997] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0062.997] lstrlenW (lpString="RpcSs") returned 5 [0062.997] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0062.997] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0062.997] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0062.997] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0062.997] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0062.997] lstrlenW (lpString="SamSs") returned 5 [0062.997] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0062.997] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0062.997] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0062.997] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0062.997] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0062.997] lstrlenW (lpString="Schedule") returned 8 [0062.997] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0062.997] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0062.997] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0062.997] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0062.997] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0062.997] lstrlenW (lpString="SENS") returned 4 [0062.997] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0062.997] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0062.997] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0062.997] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0062.997] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0062.997] lstrlenW (lpString="ShellHWDetection") returned 16 [0062.997] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0062.997] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0062.998] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0062.998] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0062.998] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0062.998] lstrlenW (lpString="Spooler") returned 7 [0062.998] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0062.998] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0062.998] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0062.998] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0062.998] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0062.998] lstrlenW (lpString="swprv") returned 5 [0062.998] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0062.998] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0062.998] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0062.998] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0062.998] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0062.998] lstrlenW (lpString="SysMain") returned 7 [0062.998] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0062.998] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0062.998] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0062.998] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0062.998] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0062.998] lstrlenW (lpString="Themes") returned 6 [0062.998] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0062.998] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0062.998] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0062.998] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0062.998] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0062.998] lstrlenW (lpString="TrkWks") returned 6 [0062.998] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0062.998] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0062.998] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0062.999] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0062.999] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0062.999] lstrlenW (lpString="UxSms") returned 5 [0062.999] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0062.999] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0062.999] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0062.999] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0062.999] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0062.999] lstrlenW (lpString="VSS") returned 3 [0062.999] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0062.999] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0062.999] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0062.999] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0062.999] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0062.999] lstrlenW (lpString="WdiServiceHost") returned 14 [0062.999] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0062.999] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0062.999] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0062.999] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0062.999] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0062.999] lstrlenW (lpString="WdiSystemHost") returned 13 [0062.999] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0062.999] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0062.999] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0062.999] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0062.999] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0062.999] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0062.999] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0062.999] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0062.999] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0062.999] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0062.999] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0062.999] lstrlenW (lpString="Winmgmt") returned 7 [0062.999] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0062.999] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0062.999] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0062.999] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0063.000] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0063.000] lstrlenW (lpString="WPDBusEnum") returned 10 [0063.000] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0063.000] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0063.000] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0063.000] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0063.000] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0063.000] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6e1cf0 | out: hHeap=0x5f0000) returned 1 [0063.000] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x184 [0063.004] Process32FirstW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.004] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0063.004] lstrlenW (lpString="System") returned 6 [0063.004] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0063.004] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0063.004] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0063.004] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0063.004] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0063.004] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0063.004] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0063.004] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0063.005] lstrlenW (lpString="smss.exe") returned 8 [0063.005] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0063.005] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0063.005] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0063.005] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0063.005] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0063.005] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0063.005] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0063.005] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0063.005] lstrlenW (lpString="csrss.exe") returned 9 [0063.005] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0063.005] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0063.005] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0063.005] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0063.005] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0063.005] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0063.005] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0063.005] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0063.006] lstrlenW (lpString="wininit.exe") returned 11 [0063.006] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0063.006] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0063.006] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0063.006] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0063.006] lstrlenW (lpString="csrss.exe") returned 9 [0063.006] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0063.007] lstrlenW (lpString="winlogon.exe") returned 12 [0063.007] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0063.007] lstrlenW (lpString="services.exe") returned 12 [0063.007] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0063.007] lstrlenW (lpString="lsass.exe") returned 9 [0063.007] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0063.007] lstrlenW (lpString="lsm.exe") returned 7 [0063.007] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.008] lstrlenW (lpString="svchost.exe") returned 11 [0063.008] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.008] lstrlenW (lpString="svchost.exe") returned 11 [0063.008] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.008] lstrlenW (lpString="svchost.exe") returned 11 [0063.008] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.009] lstrlenW (lpString="svchost.exe") returned 11 [0063.009] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2a, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.009] lstrlenW (lpString="svchost.exe") returned 11 [0063.009] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0063.009] lstrlenW (lpString="audiodg.exe") returned 11 [0063.009] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.010] lstrlenW (lpString="svchost.exe") returned 11 [0063.010] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.010] lstrlenW (lpString="svchost.exe") returned 11 [0063.010] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0063.010] lstrlenW (lpString="dwm.exe") returned 7 [0063.010] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0063.010] lstrlenW (lpString="explorer.exe") returned 12 [0063.011] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0063.011] lstrlenW (lpString="spoolsv.exe") returned 11 [0063.011] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.011] lstrlenW (lpString="svchost.exe") returned 11 [0063.011] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0063.011] lstrlenW (lpString="taskhost.exe") returned 12 [0063.011] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0063.012] lstrlenW (lpString="taskeng.exe") returned 11 [0063.012] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="encryption-billing-finishing.exe")) returned 1 [0063.012] lstrlenW (lpString="encryption-billing-finishing.exe") returned 32 [0063.012] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="le_inn_ending.exe")) returned 1 [0063.012] lstrlenW (lpString="le_inn_ending.exe") returned 17 [0063.012] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="hung-automobiles-concerning.exe")) returned 1 [0063.013] lstrlenW (lpString="hung-automobiles-concerning.exe") returned 31 [0063.013] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="celebrateowen.exe")) returned 1 [0063.013] lstrlenW (lpString="celebrateowen.exe") returned 17 [0063.013] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="highlights.exe")) returned 1 [0063.013] lstrlenW (lpString="highlights.exe") returned 14 [0063.013] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="armorthunder.exe")) returned 1 [0063.013] lstrlenW (lpString="armorthunder.exe") returned 16 [0063.013] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sci_vietnam_baby.exe")) returned 1 [0063.014] lstrlenW (lpString="sci_vietnam_baby.exe") returned 20 [0063.014] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="root.exe")) returned 1 [0063.014] lstrlenW (lpString="root.exe") returned 8 [0063.014] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="searches.exe")) returned 1 [0063.014] lstrlenW (lpString="searches.exe") returned 12 [0063.014] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gnu.exe")) returned 1 [0063.015] lstrlenW (lpString="gnu.exe") returned 7 [0063.015] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lat differences.exe")) returned 1 [0063.015] lstrlenW (lpString="lat differences.exe") returned 19 [0063.015] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="wetdelayed.exe")) returned 1 [0063.015] lstrlenW (lpString="wetdelayed.exe") returned 14 [0063.015] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scarydm.exe")) returned 1 [0063.016] lstrlenW (lpString="scarydm.exe") returned 11 [0063.016] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="relating coating ride.exe")) returned 1 [0063.016] lstrlenW (lpString="relating coating ride.exe") returned 25 [0063.016] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="compressed.exe")) returned 1 [0063.016] lstrlenW (lpString="compressed.exe") returned 14 [0063.016] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x600, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="installing.exe")) returned 1 [0063.017] lstrlenW (lpString="installing.exe") returned 14 [0063.017] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="jewellerycoloradokijiji.exe")) returned 1 [0063.017] lstrlenW (lpString="jewellerycoloradokijiji.exe") returned 27 [0063.017] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="promote_counted_attempted.exe")) returned 1 [0063.017] lstrlenW (lpString="promote_counted_attempted.exe") returned 29 [0063.017] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0063.017] lstrlenW (lpString="3dftp.exe") returned 9 [0063.017] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0063.052] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0063.052] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0063.052] lstrlenW (lpString="alftp.exe") returned 9 [0063.052] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0063.053] lstrlenW (lpString="barca.exe") returned 9 [0063.053] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x664, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0063.053] lstrlenW (lpString="bitkinex.exe") returned 12 [0063.053] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0063.054] lstrlenW (lpString="coreftp.exe") returned 11 [0063.054] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0063.054] lstrlenW (lpString="far.exe") returned 7 [0063.054] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0063.054] lstrlenW (lpString="filezilla.exe") returned 13 [0063.054] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0063.055] lstrlenW (lpString="flashfxp.exe") returned 12 [0063.055] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0063.055] lstrlenW (lpString="fling.exe") returned 9 [0063.055] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0063.055] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0063.056] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0063.056] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0063.056] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0063.056] lstrlenW (lpString="icq.exe") returned 7 [0063.056] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0063.057] lstrlenW (lpString="leechftp.exe") returned 12 [0063.057] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0063.057] lstrlenW (lpString="ncftp.exe") returned 9 [0063.057] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0063.057] lstrlenW (lpString="notepad.exe") returned 11 [0063.058] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0063.058] lstrlenW (lpString="operamail.exe") returned 13 [0063.058] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0063.059] lstrlenW (lpString="pidgin.exe") returned 10 [0063.059] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0063.059] lstrlenW (lpString="scriptftp.exe") returned 13 [0063.059] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0063.060] lstrlenW (lpString="skype.exe") returned 9 [0063.060] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0063.060] lstrlenW (lpString="smartftp.exe") returned 12 [0063.060] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0063.061] lstrlenW (lpString="thunderbird.exe") returned 15 [0063.061] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0063.061] lstrlenW (lpString="totalcmd.exe") returned 12 [0063.062] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0063.062] lstrlenW (lpString="trillian.exe") returned 12 [0063.062] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0063.063] lstrlenW (lpString="webdrive.exe") returned 12 [0063.063] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0063.063] lstrlenW (lpString="whatsapp.exe") returned 12 [0063.063] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0063.064] lstrlenW (lpString="winscp.exe") returned 10 [0063.064] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0063.064] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0063.064] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0063.089] lstrlenW (lpString="active-charge.exe") returned 17 [0063.089] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0063.089] lstrlenW (lpString="accupos.exe") returned 11 [0063.089] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0063.090] lstrlenW (lpString="afr38.exe") returned 9 [0063.090] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0063.090] lstrlenW (lpString="aldelo.exe") returned 10 [0063.090] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0063.091] lstrlenW (lpString="ccv_server.exe") returned 14 [0063.091] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0063.091] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0063.091] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0063.091] lstrlenW (lpString="creditservice.exe") returned 17 [0063.092] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0063.092] lstrlenW (lpString="edcsvr.exe") returned 10 [0063.092] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0063.092] lstrlenW (lpString="fpos.exe") returned 8 [0063.092] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0063.093] lstrlenW (lpString="isspos.exe") returned 10 [0063.093] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0063.093] lstrlenW (lpString="mxslipstream.exe") returned 16 [0063.093] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0063.093] lstrlenW (lpString="omnipos.exe") returned 11 [0063.093] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0063.094] lstrlenW (lpString="spcwin.exe") returned 10 [0063.094] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0063.094] lstrlenW (lpString="spgagentservice.exe") returned 19 [0063.094] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0063.094] lstrlenW (lpString="utg2.exe") returned 8 [0063.095] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="november_objects.exe")) returned 1 [0063.095] lstrlenW (lpString="november_objects.exe") returned 20 [0063.095] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vitamins_dealt.exe")) returned 1 [0063.095] lstrlenW (lpString="vitamins_dealt.exe") returned 18 [0063.095] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="peace_bite.exe")) returned 1 [0063.096] lstrlenW (lpString="peace_bite.exe") returned 14 [0063.096] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="earthquake forbidden waiting.exe")) returned 1 [0063.096] lstrlenW (lpString="earthquake forbidden waiting.exe") returned 32 [0063.096] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0063.096] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0063.097] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0063.097] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0063.097] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0063.097] lstrlenW (lpString="taskhost.exe") returned 12 [0063.097] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0063.097] lstrlenW (lpString="winhost.exe") returned 11 [0063.098] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa1c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0063.098] lstrlenW (lpString="cmd.exe") returned 7 [0063.098] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0063.098] lstrlenW (lpString="conhost.exe") returned 11 [0063.098] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x5b8, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0063.099] lstrlenW (lpString="vssadmin.exe") returned 12 [0063.099] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0063.099] lstrlenW (lpString="VSSVC.exe") returned 9 [0063.099] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.099] lstrlenW (lpString="svchost.exe") returned 11 [0063.099] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0063.100] CloseHandle (hObject=0x184) returned 1 [0063.100] Sleep (dwMilliseconds=0x1f4) [0063.611] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x675190 [0063.612] EnumServicesStatusExW (in: hSCManager=0x675190, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 0 [0063.612] GetLastError () returned 0xea [0063.612] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x12c6) returned 0x675ed8 [0063.612] EnumServicesStatusExW (in: hSCManager=0x675190, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x675ed8, cbBufSize=0x12c6, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x675ed8, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 1 [0063.613] CloseServiceHandle (hSCObject=0x675190) returned 1 [0063.613] lstrlenW (lpString="Appinfo") returned 7 [0063.613] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0063.613] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0063.613] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0063.613] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0063.613] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0063.613] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0063.613] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0063.613] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0063.613] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0063.613] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0063.613] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0063.613] lstrlenW (lpString="AudioSrv") returned 8 [0063.613] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0063.613] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0063.613] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0063.613] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0063.613] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0063.613] lstrlenW (lpString="BFE") returned 3 [0063.613] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0063.613] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0063.614] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0063.614] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0063.614] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0063.614] lstrlenW (lpString="CryptSvc") returned 8 [0063.614] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0063.614] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0063.614] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0063.614] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0063.614] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0063.614] lstrlenW (lpString="CscService") returned 10 [0063.614] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0063.614] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0063.614] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0063.614] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0063.614] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0063.614] lstrlenW (lpString="DcomLaunch") returned 10 [0063.614] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0063.614] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0063.614] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0063.614] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0063.614] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0063.614] lstrlenW (lpString="Dhcp") returned 4 [0063.614] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0063.614] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0063.614] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0063.614] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0063.614] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0063.614] lstrlenW (lpString="Dnscache") returned 8 [0063.614] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0063.614] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0063.614] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0063.614] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0063.614] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0063.614] lstrlenW (lpString="DPS") returned 3 [0063.614] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0063.614] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0063.614] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0063.615] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0063.615] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0063.615] lstrlenW (lpString="eventlog") returned 8 [0063.615] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0063.615] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0063.615] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0063.615] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0063.615] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0063.615] lstrlenW (lpString="EventSystem") returned 11 [0063.615] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0063.615] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0063.615] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0063.615] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0063.615] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0063.615] lstrlenW (lpString="gpsvc") returned 5 [0063.615] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0063.615] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0063.615] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0063.615] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0063.615] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0063.615] lstrlenW (lpString="iphlpsvc") returned 8 [0063.615] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0063.615] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0063.615] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0063.615] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0063.615] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0063.615] lstrlenW (lpString="LanmanServer") returned 12 [0063.615] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0063.615] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0063.615] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0063.615] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0063.615] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0063.615] lstrlenW (lpString="LanmanWorkstation") returned 17 [0063.615] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0063.615] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0063.615] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0063.615] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0063.616] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0063.616] lstrlenW (lpString="lmhosts") returned 7 [0063.616] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0063.616] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0063.616] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0063.616] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0063.616] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0063.616] lstrlenW (lpString="MMCSS") returned 5 [0063.616] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0063.616] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0063.616] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0063.616] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0063.616] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0063.616] lstrlenW (lpString="MpsSvc") returned 6 [0063.616] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0063.616] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0063.616] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0063.616] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0063.616] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0063.616] lstrlenW (lpString="Netman") returned 6 [0063.616] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0063.616] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0063.616] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0063.616] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0063.616] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0063.616] lstrlenW (lpString="netprofm") returned 8 [0063.616] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0063.616] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0063.616] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0063.616] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0063.616] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0063.616] lstrlenW (lpString="NlaSvc") returned 6 [0063.616] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0063.616] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0063.616] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0063.616] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0063.616] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0063.616] lstrlenW (lpString="nsi") returned 3 [0063.617] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0063.617] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0063.617] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0063.617] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0063.617] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0063.617] lstrlenW (lpString="PcaSvc") returned 6 [0063.617] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0063.617] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0063.617] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0063.617] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0063.617] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0063.617] lstrlenW (lpString="PlugPlay") returned 8 [0063.617] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0063.617] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0063.617] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0063.617] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0063.617] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0063.617] lstrlenW (lpString="Power") returned 5 [0063.617] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0063.617] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0063.617] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0063.617] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0063.617] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0063.617] lstrlenW (lpString="ProfSvc") returned 7 [0063.617] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0063.617] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0063.617] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0063.617] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0063.617] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0063.617] lstrlenW (lpString="RpcEptMapper") returned 12 [0063.617] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0063.617] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0063.617] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0063.617] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0063.617] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0063.617] lstrlenW (lpString="RpcSs") returned 5 [0063.617] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0063.617] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0063.618] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0063.618] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0063.618] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0063.618] lstrlenW (lpString="SamSs") returned 5 [0063.618] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0063.618] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0063.618] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0063.618] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0063.618] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0063.618] lstrlenW (lpString="Schedule") returned 8 [0063.618] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0063.618] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0063.618] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0063.618] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0063.618] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0063.618] lstrlenW (lpString="SENS") returned 4 [0063.618] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0063.618] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0063.618] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0063.618] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0063.618] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0063.618] lstrlenW (lpString="ShellHWDetection") returned 16 [0063.618] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0063.618] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0063.618] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0063.618] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0063.618] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0063.618] lstrlenW (lpString="Spooler") returned 7 [0063.618] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0063.618] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0063.618] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0063.618] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0063.618] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0063.618] lstrlenW (lpString="swprv") returned 5 [0063.618] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0063.618] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0063.618] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0063.618] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0063.619] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0063.619] lstrlenW (lpString="SysMain") returned 7 [0063.619] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0063.619] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0063.619] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0063.619] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0063.619] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0063.619] lstrlenW (lpString="Themes") returned 6 [0063.619] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0063.619] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0063.619] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0063.619] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0063.619] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0063.619] lstrlenW (lpString="TrkWks") returned 6 [0063.619] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0063.619] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0063.619] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0063.619] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0063.619] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0063.619] lstrlenW (lpString="UxSms") returned 5 [0063.619] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0063.619] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0063.619] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0063.619] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0063.619] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0063.619] lstrlenW (lpString="VSS") returned 3 [0063.619] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0063.619] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0063.619] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0063.619] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0063.619] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0063.619] lstrlenW (lpString="WdiServiceHost") returned 14 [0063.619] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0063.619] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0063.619] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0063.619] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0063.619] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0063.619] lstrlenW (lpString="WdiSystemHost") returned 13 [0063.619] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0063.620] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0063.620] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0063.620] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0063.620] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0063.620] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0063.620] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0063.620] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0063.620] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0063.620] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0063.620] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0063.620] lstrlenW (lpString="Winmgmt") returned 7 [0063.620] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0063.620] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0063.620] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0063.620] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0063.620] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0063.620] lstrlenW (lpString="WPDBusEnum") returned 10 [0063.620] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0063.620] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0063.620] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0063.620] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0063.620] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0063.620] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x675ed8 | out: hHeap=0x5f0000) returned 1 [0063.621] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x184 [0063.624] Process32FirstW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.625] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0063.625] lstrlenW (lpString="System") returned 6 [0063.625] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0063.625] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0063.625] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0063.625] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0063.625] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0063.625] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0063.625] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0063.625] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0063.625] lstrlenW (lpString="smss.exe") returned 8 [0063.625] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0063.625] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0063.625] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0063.625] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0063.625] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0063.626] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0063.626] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0063.626] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0063.626] lstrlenW (lpString="csrss.exe") returned 9 [0063.626] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0063.626] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0063.626] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0063.626] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0063.626] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0063.626] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0063.626] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0063.626] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0063.626] lstrlenW (lpString="wininit.exe") returned 11 [0063.627] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0063.627] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0063.627] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0063.627] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0063.627] lstrlenW (lpString="csrss.exe") returned 9 [0063.627] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0063.628] lstrlenW (lpString="winlogon.exe") returned 12 [0063.628] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0063.628] lstrlenW (lpString="services.exe") returned 12 [0063.628] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0063.628] lstrlenW (lpString="lsass.exe") returned 9 [0063.628] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0063.629] lstrlenW (lpString="lsm.exe") returned 7 [0063.629] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.629] lstrlenW (lpString="svchost.exe") returned 11 [0063.629] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.629] lstrlenW (lpString="svchost.exe") returned 11 [0063.629] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.629] lstrlenW (lpString="svchost.exe") returned 11 [0063.629] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.630] lstrlenW (lpString="svchost.exe") returned 11 [0063.630] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2c, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.630] lstrlenW (lpString="svchost.exe") returned 11 [0063.630] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0063.630] lstrlenW (lpString="audiodg.exe") returned 11 [0063.630] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.631] lstrlenW (lpString="svchost.exe") returned 11 [0063.631] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.632] lstrlenW (lpString="svchost.exe") returned 11 [0063.632] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0063.632] lstrlenW (lpString="dwm.exe") returned 7 [0063.632] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0063.632] lstrlenW (lpString="explorer.exe") returned 12 [0063.633] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0063.633] lstrlenW (lpString="spoolsv.exe") returned 11 [0063.633] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.633] lstrlenW (lpString="svchost.exe") returned 11 [0063.633] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0063.633] lstrlenW (lpString="taskhost.exe") returned 12 [0063.633] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0063.634] lstrlenW (lpString="taskeng.exe") returned 11 [0063.634] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="encryption-billing-finishing.exe")) returned 1 [0063.634] lstrlenW (lpString="encryption-billing-finishing.exe") returned 32 [0063.634] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="le_inn_ending.exe")) returned 1 [0063.634] lstrlenW (lpString="le_inn_ending.exe") returned 17 [0063.634] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="hung-automobiles-concerning.exe")) returned 1 [0063.635] lstrlenW (lpString="hung-automobiles-concerning.exe") returned 31 [0063.635] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="celebrateowen.exe")) returned 1 [0063.635] lstrlenW (lpString="celebrateowen.exe") returned 17 [0063.635] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="highlights.exe")) returned 1 [0063.635] lstrlenW (lpString="highlights.exe") returned 14 [0063.636] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="armorthunder.exe")) returned 1 [0063.636] lstrlenW (lpString="armorthunder.exe") returned 16 [0063.636] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sci_vietnam_baby.exe")) returned 1 [0063.636] lstrlenW (lpString="sci_vietnam_baby.exe") returned 20 [0063.636] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="root.exe")) returned 1 [0063.637] lstrlenW (lpString="root.exe") returned 8 [0063.637] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="searches.exe")) returned 1 [0063.637] lstrlenW (lpString="searches.exe") returned 12 [0063.637] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gnu.exe")) returned 1 [0063.637] lstrlenW (lpString="gnu.exe") returned 7 [0063.637] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lat differences.exe")) returned 1 [0063.637] lstrlenW (lpString="lat differences.exe") returned 19 [0063.638] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="wetdelayed.exe")) returned 1 [0063.638] lstrlenW (lpString="wetdelayed.exe") returned 14 [0063.638] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scarydm.exe")) returned 1 [0063.638] lstrlenW (lpString="scarydm.exe") returned 11 [0063.638] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="relating coating ride.exe")) returned 1 [0063.638] lstrlenW (lpString="relating coating ride.exe") returned 25 [0063.638] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="compressed.exe")) returned 1 [0063.639] lstrlenW (lpString="compressed.exe") returned 14 [0063.639] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x600, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="installing.exe")) returned 1 [0063.639] lstrlenW (lpString="installing.exe") returned 14 [0063.639] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="jewellerycoloradokijiji.exe")) returned 1 [0063.639] lstrlenW (lpString="jewellerycoloradokijiji.exe") returned 27 [0063.639] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="promote_counted_attempted.exe")) returned 1 [0063.640] lstrlenW (lpString="promote_counted_attempted.exe") returned 29 [0063.640] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0063.640] lstrlenW (lpString="3dftp.exe") returned 9 [0063.640] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0063.640] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0063.640] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0063.641] lstrlenW (lpString="alftp.exe") returned 9 [0063.641] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0063.641] lstrlenW (lpString="barca.exe") returned 9 [0063.641] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x664, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0063.641] lstrlenW (lpString="bitkinex.exe") returned 12 [0063.641] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0063.641] lstrlenW (lpString="coreftp.exe") returned 11 [0063.642] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0063.642] lstrlenW (lpString="far.exe") returned 7 [0063.642] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0063.642] lstrlenW (lpString="filezilla.exe") returned 13 [0063.642] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0063.643] lstrlenW (lpString="flashfxp.exe") returned 12 [0063.643] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0063.643] lstrlenW (lpString="fling.exe") returned 9 [0063.643] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0063.643] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0063.643] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0063.644] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0063.644] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0063.644] lstrlenW (lpString="icq.exe") returned 7 [0063.644] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0063.644] lstrlenW (lpString="leechftp.exe") returned 12 [0063.647] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0063.648] lstrlenW (lpString="ncftp.exe") returned 9 [0063.648] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0063.648] lstrlenW (lpString="notepad.exe") returned 11 [0063.648] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0063.648] lstrlenW (lpString="operamail.exe") returned 13 [0063.648] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0063.649] lstrlenW (lpString="pidgin.exe") returned 10 [0063.649] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0063.649] lstrlenW (lpString="scriptftp.exe") returned 13 [0063.649] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0063.650] lstrlenW (lpString="skype.exe") returned 9 [0063.650] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0063.650] lstrlenW (lpString="smartftp.exe") returned 12 [0063.650] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0063.650] lstrlenW (lpString="thunderbird.exe") returned 15 [0063.651] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0063.651] lstrlenW (lpString="totalcmd.exe") returned 12 [0063.651] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0063.651] lstrlenW (lpString="trillian.exe") returned 12 [0063.651] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0063.652] lstrlenW (lpString="webdrive.exe") returned 12 [0063.652] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0063.652] lstrlenW (lpString="whatsapp.exe") returned 12 [0063.652] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0063.653] lstrlenW (lpString="winscp.exe") returned 10 [0063.653] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0063.653] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0063.653] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0063.653] lstrlenW (lpString="active-charge.exe") returned 17 [0063.653] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0063.654] lstrlenW (lpString="accupos.exe") returned 11 [0063.654] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0063.654] lstrlenW (lpString="afr38.exe") returned 9 [0063.654] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0063.655] lstrlenW (lpString="aldelo.exe") returned 10 [0063.655] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0063.655] lstrlenW (lpString="ccv_server.exe") returned 14 [0063.655] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0063.903] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0063.903] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0063.903] lstrlenW (lpString="creditservice.exe") returned 17 [0063.903] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0063.903] lstrlenW (lpString="edcsvr.exe") returned 10 [0063.904] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0063.904] lstrlenW (lpString="fpos.exe") returned 8 [0063.904] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0063.904] lstrlenW (lpString="isspos.exe") returned 10 [0063.904] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0063.905] lstrlenW (lpString="mxslipstream.exe") returned 16 [0063.905] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0063.905] lstrlenW (lpString="omnipos.exe") returned 11 [0063.905] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0063.906] lstrlenW (lpString="spcwin.exe") returned 10 [0063.906] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0063.906] lstrlenW (lpString="spgagentservice.exe") returned 19 [0063.906] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0063.906] lstrlenW (lpString="utg2.exe") returned 8 [0063.906] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="november_objects.exe")) returned 1 [0063.907] lstrlenW (lpString="november_objects.exe") returned 20 [0063.907] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vitamins_dealt.exe")) returned 1 [0063.907] lstrlenW (lpString="vitamins_dealt.exe") returned 18 [0063.907] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="peace_bite.exe")) returned 1 [0063.908] lstrlenW (lpString="peace_bite.exe") returned 14 [0063.908] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="earthquake forbidden waiting.exe")) returned 1 [0063.908] lstrlenW (lpString="earthquake forbidden waiting.exe") returned 32 [0063.908] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0063.908] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0063.908] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0063.909] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0063.909] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0063.909] lstrlenW (lpString="taskhost.exe") returned 12 [0063.909] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0063.909] lstrlenW (lpString="winhost.exe") returned 11 [0063.909] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa1c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0063.910] lstrlenW (lpString="cmd.exe") returned 7 [0063.910] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0063.910] lstrlenW (lpString="conhost.exe") returned 11 [0063.910] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x5b8, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0063.910] lstrlenW (lpString="vssadmin.exe") returned 12 [0063.910] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0063.911] lstrlenW (lpString="VSSVC.exe") returned 9 [0063.911] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.911] lstrlenW (lpString="svchost.exe") returned 11 [0063.911] Process32NextW (in: hSnapshot=0x184, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0063.911] CloseHandle (hObject=0x184) returned 1 [0063.911] Sleep (dwMilliseconds=0x1f4) [0064.499] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x675190 [0064.499] EnumServicesStatusExW (in: hSCManager=0x675190, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 0 [0064.501] GetLastError () returned 0xea [0064.501] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x12c6) returned 0x675ed8 [0064.501] EnumServicesStatusExW (in: hSCManager=0x675190, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x675ed8, cbBufSize=0x12c6, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x675ed8, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 1 [0064.502] CloseServiceHandle (hSCObject=0x675190) returned 1 [0064.502] lstrlenW (lpString="Appinfo") returned 7 [0064.502] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0064.502] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0064.502] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0064.502] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0064.503] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0064.503] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0064.503] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0064.503] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0064.503] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0064.503] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0064.503] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0064.503] lstrlenW (lpString="AudioSrv") returned 8 [0064.503] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0064.503] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0064.503] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0064.503] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0064.503] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0064.503] lstrlenW (lpString="BFE") returned 3 [0064.503] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0064.503] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0064.503] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0064.503] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0064.503] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0064.503] lstrlenW (lpString="CryptSvc") returned 8 [0064.503] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0064.503] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0064.503] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0064.503] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0064.503] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0064.503] lstrlenW (lpString="CscService") returned 10 [0064.503] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0064.504] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0064.504] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0064.504] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0064.504] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0064.504] lstrlenW (lpString="DcomLaunch") returned 10 [0064.504] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0064.504] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0064.504] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0064.504] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0064.504] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0064.504] lstrlenW (lpString="Dhcp") returned 4 [0064.504] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0064.504] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0064.504] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0064.504] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0064.504] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0064.504] lstrlenW (lpString="Dnscache") returned 8 [0064.504] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0064.504] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0064.504] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0064.504] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0064.504] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0064.504] lstrlenW (lpString="DPS") returned 3 [0064.504] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0064.504] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0064.504] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0064.505] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0064.505] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0064.505] lstrlenW (lpString="eventlog") returned 8 [0064.505] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0064.505] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0064.505] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0064.505] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0064.505] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0064.505] lstrlenW (lpString="EventSystem") returned 11 [0064.505] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0064.505] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0064.505] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0064.505] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0064.505] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0064.505] lstrlenW (lpString="gpsvc") returned 5 [0064.505] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0064.505] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0064.505] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0064.505] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0064.505] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0064.505] lstrlenW (lpString="iphlpsvc") returned 8 [0064.505] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0064.505] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0064.505] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0064.505] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0064.505] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0064.505] lstrlenW (lpString="LanmanServer") returned 12 [0064.506] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0064.506] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0064.506] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0064.506] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0064.506] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0064.506] lstrlenW (lpString="LanmanWorkstation") returned 17 [0064.506] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0064.506] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0064.506] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0064.506] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0064.506] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0064.506] lstrlenW (lpString="lmhosts") returned 7 [0064.506] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0064.506] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0064.506] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0064.506] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0064.506] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0064.506] lstrlenW (lpString="MMCSS") returned 5 [0064.506] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0064.506] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0064.506] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0064.506] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0064.506] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0064.506] lstrlenW (lpString="MpsSvc") returned 6 [0064.506] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0064.507] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0064.507] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0064.507] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0064.507] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0064.507] lstrlenW (lpString="Netman") returned 6 [0064.507] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0064.507] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0064.507] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0064.507] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0064.507] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0064.507] lstrlenW (lpString="netprofm") returned 8 [0064.507] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0064.507] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0064.507] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0064.507] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0064.507] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0064.507] lstrlenW (lpString="NlaSvc") returned 6 [0064.507] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0064.507] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0064.507] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0064.507] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0064.507] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0064.507] lstrlenW (lpString="nsi") returned 3 [0064.507] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0064.507] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0064.507] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0064.508] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0064.508] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0064.508] lstrlenW (lpString="PcaSvc") returned 6 [0064.508] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0064.508] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0064.508] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0064.508] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0064.508] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0064.508] lstrlenW (lpString="PlugPlay") returned 8 [0064.508] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0064.508] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0064.508] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0064.508] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0064.508] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0064.508] lstrlenW (lpString="Power") returned 5 [0064.508] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0064.508] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0064.508] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0064.508] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0064.508] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0064.508] lstrlenW (lpString="ProfSvc") returned 7 [0064.508] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0064.508] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0064.508] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0064.508] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0064.508] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0064.509] lstrlenW (lpString="RpcEptMapper") returned 12 [0064.509] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0064.509] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0064.509] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0064.509] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0064.509] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0064.509] lstrlenW (lpString="RpcSs") returned 5 [0064.509] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0064.509] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0064.509] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0064.509] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0064.509] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0064.509] lstrlenW (lpString="SamSs") returned 5 [0064.509] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0064.509] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0064.509] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0064.509] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0064.509] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0064.509] lstrlenW (lpString="Schedule") returned 8 [0064.509] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0064.509] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0064.509] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0064.509] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0064.509] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0064.509] lstrlenW (lpString="SENS") returned 4 [0064.509] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0064.510] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0064.510] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0064.510] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0064.510] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0064.510] lstrlenW (lpString="ShellHWDetection") returned 16 [0064.510] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0064.510] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0064.510] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0064.510] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0064.510] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0064.510] lstrlenW (lpString="Spooler") returned 7 [0064.510] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0064.510] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0064.510] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0064.510] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0064.510] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0064.510] lstrlenW (lpString="swprv") returned 5 [0064.510] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0064.510] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0064.510] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0064.510] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0064.510] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0064.510] lstrlenW (lpString="SysMain") returned 7 [0064.510] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0064.510] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0064.510] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0064.510] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0064.510] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0064.510] lstrlenW (lpString="Themes") returned 6 [0064.511] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0064.511] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0064.511] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0064.511] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0064.511] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0064.511] lstrlenW (lpString="TrkWks") returned 6 [0064.511] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0064.511] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0064.511] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0064.511] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0064.511] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0064.511] lstrlenW (lpString="UxSms") returned 5 [0064.511] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0064.511] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0064.511] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0064.511] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0064.511] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0064.511] lstrlenW (lpString="VSS") returned 3 [0064.511] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0064.511] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0064.511] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0064.511] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0064.511] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0064.511] lstrlenW (lpString="WdiServiceHost") returned 14 [0064.511] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0064.511] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0064.511] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0064.511] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0064.511] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0064.511] lstrlenW (lpString="WdiSystemHost") returned 13 [0064.512] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0064.512] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0064.512] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0064.512] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0064.512] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0064.512] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0064.512] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0064.512] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0064.512] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0064.512] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0064.512] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0064.512] lstrlenW (lpString="Winmgmt") returned 7 [0064.512] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0064.512] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0064.512] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0064.512] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0064.512] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0064.512] lstrlenW (lpString="WPDBusEnum") returned 10 [0064.512] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0064.512] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0064.512] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0064.512] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0064.512] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0064.512] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x675ed8 | out: hHeap=0x5f0000) returned 1 [0064.512] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1ac [0064.518] Process32FirstW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0064.518] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0064.518] lstrlenW (lpString="System") returned 6 [0064.518] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0064.519] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0064.519] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0064.519] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0064.519] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0064.519] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0064.519] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0064.519] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0064.519] lstrlenW (lpString="smss.exe") returned 8 [0064.519] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0064.519] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0064.519] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0064.519] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0064.519] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0064.519] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0064.519] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0064.519] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0064.520] lstrlenW (lpString="csrss.exe") returned 9 [0064.520] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0064.520] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0064.520] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0064.520] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0064.520] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0064.520] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0064.520] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0064.520] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0064.520] lstrlenW (lpString="wininit.exe") returned 11 [0064.520] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0064.520] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0064.520] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0064.521] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0064.521] lstrlenW (lpString="csrss.exe") returned 9 [0064.521] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0064.521] lstrlenW (lpString="winlogon.exe") returned 12 [0064.521] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0064.522] lstrlenW (lpString="services.exe") returned 12 [0064.522] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0064.522] lstrlenW (lpString="lsass.exe") returned 9 [0064.522] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0064.522] lstrlenW (lpString="lsm.exe") returned 7 [0064.522] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.523] lstrlenW (lpString="svchost.exe") returned 11 [0064.523] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.523] lstrlenW (lpString="svchost.exe") returned 11 [0064.523] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.523] lstrlenW (lpString="svchost.exe") returned 11 [0064.523] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.524] lstrlenW (lpString="svchost.exe") returned 11 [0064.524] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2d, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.524] lstrlenW (lpString="svchost.exe") returned 11 [0064.524] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0064.525] lstrlenW (lpString="audiodg.exe") returned 11 [0064.525] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.525] lstrlenW (lpString="svchost.exe") returned 11 [0064.525] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.525] lstrlenW (lpString="svchost.exe") returned 11 [0064.525] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0064.526] lstrlenW (lpString="dwm.exe") returned 7 [0064.526] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0064.526] lstrlenW (lpString="explorer.exe") returned 12 [0064.526] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0064.526] lstrlenW (lpString="spoolsv.exe") returned 11 [0064.527] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.527] lstrlenW (lpString="svchost.exe") returned 11 [0064.527] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0064.527] lstrlenW (lpString="taskhost.exe") returned 12 [0064.527] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0064.528] lstrlenW (lpString="taskeng.exe") returned 11 [0064.528] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="encryption-billing-finishing.exe")) returned 1 [0064.528] lstrlenW (lpString="encryption-billing-finishing.exe") returned 32 [0064.528] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="le_inn_ending.exe")) returned 1 [0064.528] lstrlenW (lpString="le_inn_ending.exe") returned 17 [0064.528] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="hung-automobiles-concerning.exe")) returned 1 [0064.529] lstrlenW (lpString="hung-automobiles-concerning.exe") returned 31 [0064.529] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="celebrateowen.exe")) returned 1 [0064.529] lstrlenW (lpString="celebrateowen.exe") returned 17 [0064.529] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="highlights.exe")) returned 1 [0064.530] lstrlenW (lpString="highlights.exe") returned 14 [0064.530] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="armorthunder.exe")) returned 1 [0064.530] lstrlenW (lpString="armorthunder.exe") returned 16 [0064.530] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sci_vietnam_baby.exe")) returned 1 [0064.530] lstrlenW (lpString="sci_vietnam_baby.exe") returned 20 [0064.530] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="root.exe")) returned 1 [0064.531] lstrlenW (lpString="root.exe") returned 8 [0064.531] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="searches.exe")) returned 1 [0064.532] lstrlenW (lpString="searches.exe") returned 12 [0064.532] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gnu.exe")) returned 1 [0064.532] lstrlenW (lpString="gnu.exe") returned 7 [0064.532] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lat differences.exe")) returned 1 [0064.533] lstrlenW (lpString="lat differences.exe") returned 19 [0064.533] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="wetdelayed.exe")) returned 1 [0064.533] lstrlenW (lpString="wetdelayed.exe") returned 14 [0064.533] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scarydm.exe")) returned 1 [0064.534] lstrlenW (lpString="scarydm.exe") returned 11 [0064.534] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="relating coating ride.exe")) returned 1 [0064.534] lstrlenW (lpString="relating coating ride.exe") returned 25 [0064.534] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="compressed.exe")) returned 1 [0064.626] lstrlenW (lpString="compressed.exe") returned 14 [0064.626] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x600, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="installing.exe")) returned 1 [0064.626] lstrlenW (lpString="installing.exe") returned 14 [0064.626] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="jewellerycoloradokijiji.exe")) returned 1 [0064.627] lstrlenW (lpString="jewellerycoloradokijiji.exe") returned 27 [0064.627] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="promote_counted_attempted.exe")) returned 1 [0064.627] lstrlenW (lpString="promote_counted_attempted.exe") returned 29 [0064.627] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0064.628] lstrlenW (lpString="3dftp.exe") returned 9 [0064.628] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0064.628] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0064.628] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0064.629] lstrlenW (lpString="alftp.exe") returned 9 [0064.629] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0064.629] lstrlenW (lpString="barca.exe") returned 9 [0064.629] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x664, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0064.629] lstrlenW (lpString="bitkinex.exe") returned 12 [0064.629] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0064.630] lstrlenW (lpString="coreftp.exe") returned 11 [0064.630] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0064.630] lstrlenW (lpString="far.exe") returned 7 [0064.630] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0064.631] lstrlenW (lpString="filezilla.exe") returned 13 [0064.631] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0064.631] lstrlenW (lpString="flashfxp.exe") returned 12 [0064.631] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0064.632] lstrlenW (lpString="fling.exe") returned 9 [0064.632] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0064.632] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0064.632] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0064.632] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0064.632] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0064.633] lstrlenW (lpString="icq.exe") returned 7 [0064.633] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0064.633] lstrlenW (lpString="leechftp.exe") returned 12 [0064.633] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0064.634] lstrlenW (lpString="ncftp.exe") returned 9 [0064.634] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0064.634] lstrlenW (lpString="notepad.exe") returned 11 [0064.634] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0064.635] lstrlenW (lpString="operamail.exe") returned 13 [0064.635] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0064.635] lstrlenW (lpString="pidgin.exe") returned 10 [0064.635] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0064.636] lstrlenW (lpString="scriptftp.exe") returned 13 [0064.636] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0064.636] lstrlenW (lpString="skype.exe") returned 9 [0064.636] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0064.637] lstrlenW (lpString="smartftp.exe") returned 12 [0064.637] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0064.637] lstrlenW (lpString="thunderbird.exe") returned 15 [0064.637] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0064.638] lstrlenW (lpString="totalcmd.exe") returned 12 [0064.638] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0064.638] lstrlenW (lpString="trillian.exe") returned 12 [0064.639] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0064.639] lstrlenW (lpString="webdrive.exe") returned 12 [0064.639] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0064.640] lstrlenW (lpString="whatsapp.exe") returned 12 [0064.640] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0064.641] lstrlenW (lpString="winscp.exe") returned 10 [0064.641] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0064.641] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0064.641] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0064.642] lstrlenW (lpString="active-charge.exe") returned 17 [0064.642] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0064.643] lstrlenW (lpString="accupos.exe") returned 11 [0064.643] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0064.643] lstrlenW (lpString="afr38.exe") returned 9 [0064.643] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0064.644] lstrlenW (lpString="aldelo.exe") returned 10 [0064.644] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0064.644] lstrlenW (lpString="ccv_server.exe") returned 14 [0064.644] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0064.645] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0064.645] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0064.645] lstrlenW (lpString="creditservice.exe") returned 17 [0064.645] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0064.646] lstrlenW (lpString="edcsvr.exe") returned 10 [0064.646] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0064.646] lstrlenW (lpString="fpos.exe") returned 8 [0064.646] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0064.647] lstrlenW (lpString="isspos.exe") returned 10 [0064.647] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0064.647] lstrlenW (lpString="mxslipstream.exe") returned 16 [0064.647] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0064.648] lstrlenW (lpString="omnipos.exe") returned 11 [0064.648] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0064.648] lstrlenW (lpString="spcwin.exe") returned 10 [0064.648] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0064.649] lstrlenW (lpString="spgagentservice.exe") returned 19 [0064.649] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0064.649] lstrlenW (lpString="utg2.exe") returned 8 [0064.649] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="november_objects.exe")) returned 1 [0064.650] lstrlenW (lpString="november_objects.exe") returned 20 [0064.650] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vitamins_dealt.exe")) returned 1 [0064.650] lstrlenW (lpString="vitamins_dealt.exe") returned 18 [0064.650] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="peace_bite.exe")) returned 1 [0064.651] lstrlenW (lpString="peace_bite.exe") returned 14 [0064.651] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="earthquake forbidden waiting.exe")) returned 1 [0064.651] lstrlenW (lpString="earthquake forbidden waiting.exe") returned 32 [0064.651] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0064.652] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0064.652] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0064.652] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0064.652] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0064.653] lstrlenW (lpString="taskhost.exe") returned 12 [0064.653] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0064.653] lstrlenW (lpString="winhost.exe") returned 11 [0064.653] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa1c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0064.653] lstrlenW (lpString="cmd.exe") returned 7 [0064.654] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0064.654] lstrlenW (lpString="conhost.exe") returned 11 [0064.654] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x5b8, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0064.654] lstrlenW (lpString="vssadmin.exe") returned 12 [0064.655] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0064.655] lstrlenW (lpString="VSSVC.exe") returned 9 [0064.655] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.655] lstrlenW (lpString="svchost.exe") returned 11 [0064.655] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0064.657] CloseHandle (hObject=0x1ac) returned 1 [0064.657] Sleep (dwMilliseconds=0x1f4) [0065.288] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x675190 [0065.289] EnumServicesStatusExW (in: hSCManager=0x675190, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 0 [0065.289] GetLastError () returned 0xea [0065.289] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x12c6) returned 0x675ed8 [0065.290] EnumServicesStatusExW (in: hSCManager=0x675190, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x675ed8, cbBufSize=0x12c6, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x675ed8, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 1 [0065.290] CloseServiceHandle (hSCObject=0x675190) returned 1 [0065.291] lstrlenW (lpString="Appinfo") returned 7 [0065.291] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0065.291] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0065.291] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0065.291] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0065.291] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0065.291] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0065.291] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0065.291] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0065.291] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0065.291] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0065.291] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0065.291] lstrlenW (lpString="AudioSrv") returned 8 [0065.291] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0065.291] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0065.291] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0065.291] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0065.291] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0065.291] lstrlenW (lpString="BFE") returned 3 [0065.291] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0065.291] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0065.291] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0065.292] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0065.292] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0065.292] lstrlenW (lpString="CryptSvc") returned 8 [0065.292] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0065.292] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0065.292] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0065.292] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0065.292] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0065.292] lstrlenW (lpString="CscService") returned 10 [0065.292] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0065.292] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0065.292] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0065.292] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0065.292] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0065.292] lstrlenW (lpString="DcomLaunch") returned 10 [0065.292] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0065.292] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0065.292] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0065.292] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0065.292] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0065.292] lstrlenW (lpString="Dhcp") returned 4 [0065.292] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0065.292] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0065.292] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0065.292] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0065.292] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0065.292] lstrlenW (lpString="Dnscache") returned 8 [0065.293] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0065.293] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0065.293] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0065.293] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0065.293] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0065.293] lstrlenW (lpString="DPS") returned 3 [0065.293] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0065.293] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0065.293] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0065.293] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0065.293] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0065.293] lstrlenW (lpString="eventlog") returned 8 [0065.293] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0065.293] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0065.293] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0065.293] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0065.293] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0065.293] lstrlenW (lpString="EventSystem") returned 11 [0065.293] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0065.293] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0065.293] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0065.293] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0065.293] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0065.294] lstrlenW (lpString="gpsvc") returned 5 [0065.294] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0065.294] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0065.294] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0065.294] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0065.294] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0065.294] lstrlenW (lpString="iphlpsvc") returned 8 [0065.294] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0065.294] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0065.294] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0065.294] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0065.294] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0065.294] lstrlenW (lpString="LanmanServer") returned 12 [0065.294] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0065.294] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0065.294] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0065.294] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0065.294] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0065.294] lstrlenW (lpString="LanmanWorkstation") returned 17 [0065.294] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0065.294] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0065.294] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0065.294] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0065.294] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0065.295] lstrlenW (lpString="lmhosts") returned 7 [0065.295] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0065.295] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0065.295] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0065.295] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0065.295] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0065.295] lstrlenW (lpString="MMCSS") returned 5 [0065.295] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0065.295] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0065.295] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0065.295] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0065.295] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0065.295] lstrlenW (lpString="MpsSvc") returned 6 [0065.295] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0065.295] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0065.295] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0065.295] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0065.295] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0065.295] lstrlenW (lpString="Netman") returned 6 [0065.295] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0065.295] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0065.296] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0065.296] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0065.296] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0065.296] lstrlenW (lpString="netprofm") returned 8 [0065.296] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0065.296] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0065.296] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0065.296] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0065.296] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0065.296] lstrlenW (lpString="NlaSvc") returned 6 [0065.296] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0065.296] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0065.296] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0065.296] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0065.296] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0065.296] lstrlenW (lpString="nsi") returned 3 [0065.296] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0065.296] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0065.296] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0065.296] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0065.296] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0065.296] lstrlenW (lpString="PcaSvc") returned 6 [0065.296] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0065.296] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0065.297] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0065.297] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0065.297] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0065.297] lstrlenW (lpString="PlugPlay") returned 8 [0065.297] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0065.297] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0065.297] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0065.297] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0065.297] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0065.297] lstrlenW (lpString="Power") returned 5 [0065.297] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0065.297] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0065.297] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0065.297] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0065.297] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0065.297] lstrlenW (lpString="ProfSvc") returned 7 [0065.297] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0065.297] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0065.297] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0065.297] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0065.297] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0065.297] lstrlenW (lpString="RpcEptMapper") returned 12 [0065.297] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0065.297] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0065.297] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0065.297] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0065.297] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0065.297] lstrlenW (lpString="RpcSs") returned 5 [0065.297] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0065.297] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0065.297] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0065.298] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0065.298] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0065.298] lstrlenW (lpString="SamSs") returned 5 [0065.298] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0065.298] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0065.298] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0065.298] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0065.298] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0065.298] lstrlenW (lpString="Schedule") returned 8 [0065.298] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0065.298] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0065.298] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0065.298] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0065.298] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0065.298] lstrlenW (lpString="SENS") returned 4 [0065.298] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0065.298] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0065.298] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0065.298] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0065.299] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0065.299] lstrlenW (lpString="ShellHWDetection") returned 16 [0065.299] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0065.299] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0065.299] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0065.299] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0065.299] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0065.299] lstrlenW (lpString="Spooler") returned 7 [0065.299] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0065.299] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0065.299] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0065.299] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0065.299] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0065.299] lstrlenW (lpString="swprv") returned 5 [0065.299] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0065.299] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0065.299] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0065.299] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0065.299] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0065.299] lstrlenW (lpString="SysMain") returned 7 [0065.299] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0065.299] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0065.299] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0065.300] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0065.300] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0065.300] lstrlenW (lpString="Themes") returned 6 [0065.300] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0065.300] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0065.300] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0065.300] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0065.300] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0065.300] lstrlenW (lpString="TrkWks") returned 6 [0065.300] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0065.300] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0065.300] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0065.300] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0065.300] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0065.300] lstrlenW (lpString="UxSms") returned 5 [0065.300] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0065.300] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0065.300] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0065.300] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0065.300] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0065.300] lstrlenW (lpString="VSS") returned 3 [0065.300] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0065.300] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0065.300] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0065.300] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0065.300] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0065.300] lstrlenW (lpString="WdiServiceHost") returned 14 [0065.300] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0065.301] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0065.301] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0065.301] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0065.301] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0065.301] lstrlenW (lpString="WdiSystemHost") returned 13 [0065.301] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0065.301] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0065.301] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0065.301] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0065.301] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0065.301] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0065.301] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0065.301] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0065.301] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0065.301] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0065.301] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0065.301] lstrlenW (lpString="Winmgmt") returned 7 [0065.301] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0065.301] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0065.301] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0065.301] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0065.301] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0065.301] lstrlenW (lpString="WPDBusEnum") returned 10 [0065.301] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0065.301] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0065.301] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0065.301] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0065.301] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0065.301] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x675ed8 | out: hHeap=0x5f0000) returned 1 [0065.302] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x21c [0065.306] Process32FirstW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0065.307] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0065.307] lstrlenW (lpString="System") returned 6 [0065.307] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0065.307] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0065.307] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0065.307] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0065.307] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0065.307] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0065.307] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0065.307] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0065.308] lstrlenW (lpString="smss.exe") returned 8 [0065.308] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0065.308] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0065.308] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0065.308] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0065.308] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0065.308] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0065.308] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0065.308] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0065.308] lstrlenW (lpString="csrss.exe") returned 9 [0065.308] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0065.308] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0065.308] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0065.308] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0065.308] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0065.308] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0065.308] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0065.308] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0065.309] lstrlenW (lpString="wininit.exe") returned 11 [0065.309] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0065.309] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0065.309] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0065.309] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0065.309] lstrlenW (lpString="csrss.exe") returned 9 [0065.309] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0065.310] lstrlenW (lpString="winlogon.exe") returned 12 [0065.310] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0065.310] lstrlenW (lpString="services.exe") returned 12 [0065.310] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0065.310] lstrlenW (lpString="lsass.exe") returned 9 [0065.311] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0065.311] lstrlenW (lpString="lsm.exe") returned 7 [0065.311] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.312] lstrlenW (lpString="svchost.exe") returned 11 [0065.312] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.312] lstrlenW (lpString="svchost.exe") returned 11 [0065.312] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.312] lstrlenW (lpString="svchost.exe") returned 11 [0065.313] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.313] lstrlenW (lpString="svchost.exe") returned 11 [0065.313] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2e, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.313] lstrlenW (lpString="svchost.exe") returned 11 [0065.313] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0065.313] lstrlenW (lpString="audiodg.exe") returned 11 [0065.314] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.314] lstrlenW (lpString="svchost.exe") returned 11 [0065.314] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.314] lstrlenW (lpString="svchost.exe") returned 11 [0065.314] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0065.315] lstrlenW (lpString="dwm.exe") returned 7 [0065.315] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0065.315] lstrlenW (lpString="explorer.exe") returned 12 [0065.315] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0065.315] lstrlenW (lpString="spoolsv.exe") returned 11 [0065.315] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.316] lstrlenW (lpString="svchost.exe") returned 11 [0065.316] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0065.316] lstrlenW (lpString="taskhost.exe") returned 12 [0065.316] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0065.316] lstrlenW (lpString="taskeng.exe") returned 11 [0065.316] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="encryption-billing-finishing.exe")) returned 1 [0065.317] lstrlenW (lpString="encryption-billing-finishing.exe") returned 32 [0065.317] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="le_inn_ending.exe")) returned 1 [0065.317] lstrlenW (lpString="le_inn_ending.exe") returned 17 [0065.317] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="hung-automobiles-concerning.exe")) returned 1 [0065.317] lstrlenW (lpString="hung-automobiles-concerning.exe") returned 31 [0065.317] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="celebrateowen.exe")) returned 1 [0065.318] lstrlenW (lpString="celebrateowen.exe") returned 17 [0065.318] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="highlights.exe")) returned 1 [0065.318] lstrlenW (lpString="highlights.exe") returned 14 [0065.318] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="armorthunder.exe")) returned 1 [0065.318] lstrlenW (lpString="armorthunder.exe") returned 16 [0065.318] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sci_vietnam_baby.exe")) returned 1 [0065.319] lstrlenW (lpString="sci_vietnam_baby.exe") returned 20 [0065.319] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="root.exe")) returned 1 [0065.319] lstrlenW (lpString="root.exe") returned 8 [0065.319] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="searches.exe")) returned 1 [0065.319] lstrlenW (lpString="searches.exe") returned 12 [0065.319] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gnu.exe")) returned 1 [0065.320] lstrlenW (lpString="gnu.exe") returned 7 [0065.320] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lat differences.exe")) returned 1 [0065.320] lstrlenW (lpString="lat differences.exe") returned 19 [0065.320] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="wetdelayed.exe")) returned 1 [0065.320] lstrlenW (lpString="wetdelayed.exe") returned 14 [0065.321] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scarydm.exe")) returned 1 [0065.321] lstrlenW (lpString="scarydm.exe") returned 11 [0065.321] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="relating coating ride.exe")) returned 1 [0065.321] lstrlenW (lpString="relating coating ride.exe") returned 25 [0065.321] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="compressed.exe")) returned 1 [0065.321] lstrlenW (lpString="compressed.exe") returned 14 [0065.322] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x600, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="installing.exe")) returned 1 [0065.322] lstrlenW (lpString="installing.exe") returned 14 [0065.322] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="jewellerycoloradokijiji.exe")) returned 1 [0065.322] lstrlenW (lpString="jewellerycoloradokijiji.exe") returned 27 [0065.322] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="promote_counted_attempted.exe")) returned 1 [0065.323] lstrlenW (lpString="promote_counted_attempted.exe") returned 29 [0065.323] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0065.323] lstrlenW (lpString="3dftp.exe") returned 9 [0065.323] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0065.323] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0065.323] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0065.323] lstrlenW (lpString="alftp.exe") returned 9 [0065.324] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0065.324] lstrlenW (lpString="barca.exe") returned 9 [0065.324] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x664, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0065.324] lstrlenW (lpString="bitkinex.exe") returned 12 [0065.324] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0065.324] lstrlenW (lpString="coreftp.exe") returned 11 [0065.325] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0065.325] lstrlenW (lpString="far.exe") returned 7 [0065.325] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0065.325] lstrlenW (lpString="filezilla.exe") returned 13 [0065.325] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0065.325] lstrlenW (lpString="flashfxp.exe") returned 12 [0065.326] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0065.326] lstrlenW (lpString="fling.exe") returned 9 [0065.326] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0065.326] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0065.326] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0066.534] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0066.535] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0066.545] lstrlenW (lpString="icq.exe") returned 7 [0066.545] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0066.545] lstrlenW (lpString="leechftp.exe") returned 12 [0066.545] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0066.545] lstrlenW (lpString="ncftp.exe") returned 9 [0066.545] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0066.546] lstrlenW (lpString="notepad.exe") returned 11 [0066.546] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0066.546] lstrlenW (lpString="operamail.exe") returned 13 [0066.546] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0066.547] lstrlenW (lpString="pidgin.exe") returned 10 [0066.547] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0066.547] lstrlenW (lpString="scriptftp.exe") returned 13 [0066.547] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0066.548] lstrlenW (lpString="skype.exe") returned 9 [0066.548] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0066.548] lstrlenW (lpString="smartftp.exe") returned 12 [0066.548] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0066.548] lstrlenW (lpString="thunderbird.exe") returned 15 [0066.548] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0066.549] lstrlenW (lpString="totalcmd.exe") returned 12 [0066.549] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0066.549] lstrlenW (lpString="trillian.exe") returned 12 [0066.549] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0066.550] lstrlenW (lpString="webdrive.exe") returned 12 [0066.550] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0066.550] lstrlenW (lpString="whatsapp.exe") returned 12 [0066.550] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0066.551] lstrlenW (lpString="winscp.exe") returned 10 [0066.551] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0066.551] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0066.551] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0066.552] lstrlenW (lpString="active-charge.exe") returned 17 [0066.552] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0066.552] lstrlenW (lpString="accupos.exe") returned 11 [0066.552] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0066.553] lstrlenW (lpString="afr38.exe") returned 9 [0066.553] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0066.553] lstrlenW (lpString="aldelo.exe") returned 10 [0066.553] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0066.553] lstrlenW (lpString="ccv_server.exe") returned 14 [0066.554] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0066.554] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0066.554] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0066.554] lstrlenW (lpString="creditservice.exe") returned 17 [0066.554] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0066.555] lstrlenW (lpString="edcsvr.exe") returned 10 [0066.555] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0066.555] lstrlenW (lpString="fpos.exe") returned 8 [0066.555] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0066.556] lstrlenW (lpString="isspos.exe") returned 10 [0066.556] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0066.556] lstrlenW (lpString="mxslipstream.exe") returned 16 [0066.556] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0066.556] lstrlenW (lpString="omnipos.exe") returned 11 [0066.556] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0066.557] lstrlenW (lpString="spcwin.exe") returned 10 [0066.557] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0066.557] lstrlenW (lpString="spgagentservice.exe") returned 19 [0066.557] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0066.558] lstrlenW (lpString="utg2.exe") returned 8 [0066.558] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="november_objects.exe")) returned 1 [0066.558] lstrlenW (lpString="november_objects.exe") returned 20 [0066.558] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vitamins_dealt.exe")) returned 1 [0066.558] lstrlenW (lpString="vitamins_dealt.exe") returned 18 [0066.558] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="peace_bite.exe")) returned 1 [0066.559] lstrlenW (lpString="peace_bite.exe") returned 14 [0066.559] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="earthquake forbidden waiting.exe")) returned 1 [0066.560] lstrlenW (lpString="earthquake forbidden waiting.exe") returned 32 [0066.560] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0066.560] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0066.560] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0066.561] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0066.561] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0066.561] lstrlenW (lpString="taskhost.exe") returned 12 [0066.561] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0066.562] lstrlenW (lpString="winhost.exe") returned 11 [0066.562] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa1c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0066.562] lstrlenW (lpString="cmd.exe") returned 7 [0066.562] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0066.563] lstrlenW (lpString="conhost.exe") returned 11 [0066.563] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x5b8, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0066.563] lstrlenW (lpString="vssadmin.exe") returned 12 [0066.563] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0066.564] lstrlenW (lpString="VSSVC.exe") returned 9 [0066.564] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.564] lstrlenW (lpString="svchost.exe") returned 11 [0066.564] Process32NextW (in: hSnapshot=0x21c, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0066.565] CloseHandle (hObject=0x21c) returned 1 [0066.565] Sleep (dwMilliseconds=0x1f4) [0067.128] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x675190 [0067.128] EnumServicesStatusExW (in: hSCManager=0x675190, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 0 [0067.128] GetLastError () returned 0xea [0067.128] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x12c6) returned 0x675ed8 [0067.129] EnumServicesStatusExW (in: hSCManager=0x675190, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x675ed8, cbBufSize=0x12c6, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x675ed8, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 1 [0067.129] CloseServiceHandle (hSCObject=0x675190) returned 1 [0067.130] lstrlenW (lpString="Appinfo") returned 7 [0067.130] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0067.130] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0067.130] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0067.130] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0067.130] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0067.130] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0067.130] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0067.130] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0067.130] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0067.130] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0067.130] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0067.130] lstrlenW (lpString="AudioSrv") returned 8 [0067.130] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0067.130] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0067.130] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0067.130] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0067.130] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0067.130] lstrlenW (lpString="BFE") returned 3 [0067.130] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0067.130] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0067.130] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0067.130] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0067.130] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0067.130] lstrlenW (lpString="CryptSvc") returned 8 [0067.130] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0067.130] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0067.131] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0067.131] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0067.131] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0067.131] lstrlenW (lpString="CscService") returned 10 [0067.131] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0067.131] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0067.131] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0067.131] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0067.131] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0067.131] lstrlenW (lpString="DcomLaunch") returned 10 [0067.131] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0067.131] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0067.131] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0067.131] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0067.131] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0067.131] lstrlenW (lpString="Dhcp") returned 4 [0067.131] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0067.131] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0067.131] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0067.131] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0067.131] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0067.131] lstrlenW (lpString="Dnscache") returned 8 [0067.131] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0067.131] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0067.131] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0067.131] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0067.131] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0067.131] lstrlenW (lpString="DPS") returned 3 [0067.131] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0067.131] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0067.132] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0067.132] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0067.132] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0067.132] lstrlenW (lpString="eventlog") returned 8 [0067.132] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0067.132] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0067.132] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0067.132] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0067.132] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0067.132] lstrlenW (lpString="EventSystem") returned 11 [0067.132] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0067.132] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0067.132] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0067.132] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0067.132] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0067.132] lstrlenW (lpString="gpsvc") returned 5 [0067.132] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0067.132] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0067.132] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0067.132] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0067.132] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0067.132] lstrlenW (lpString="iphlpsvc") returned 8 [0067.132] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0067.132] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0067.132] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0067.132] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0067.132] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0067.132] lstrlenW (lpString="LanmanServer") returned 12 [0067.132] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0067.132] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0067.133] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0067.133] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0067.133] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0067.133] lstrlenW (lpString="LanmanWorkstation") returned 17 [0067.133] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0067.133] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0067.133] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0067.133] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0067.133] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0067.133] lstrlenW (lpString="lmhosts") returned 7 [0067.133] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0067.133] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0067.133] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0067.133] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0067.133] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0067.133] lstrlenW (lpString="MMCSS") returned 5 [0067.133] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0067.133] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0067.133] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0067.133] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0067.133] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0067.133] lstrlenW (lpString="MpsSvc") returned 6 [0067.133] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0067.133] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0067.133] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0067.133] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0067.133] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0067.133] lstrlenW (lpString="Netman") returned 6 [0067.133] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0067.134] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0067.134] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0067.134] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0067.134] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0067.134] lstrlenW (lpString="netprofm") returned 8 [0067.134] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0067.134] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0067.134] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0067.134] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0067.134] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0067.134] lstrlenW (lpString="NlaSvc") returned 6 [0067.134] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0067.134] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0067.134] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0067.134] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0067.134] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0067.134] lstrlenW (lpString="nsi") returned 3 [0067.134] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0067.134] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0067.134] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0067.134] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0067.134] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0067.134] lstrlenW (lpString="PcaSvc") returned 6 [0067.134] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0067.134] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0067.134] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0067.134] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0067.134] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0067.134] lstrlenW (lpString="PlugPlay") returned 8 [0067.135] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0067.135] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0067.135] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0067.135] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0067.135] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0067.135] lstrlenW (lpString="Power") returned 5 [0067.135] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0067.135] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0067.135] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0067.135] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0067.135] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0067.135] lstrlenW (lpString="ProfSvc") returned 7 [0067.135] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0067.135] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0067.135] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0067.135] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0067.135] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0067.135] lstrlenW (lpString="RpcEptMapper") returned 12 [0067.135] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0067.135] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0067.135] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0067.135] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0067.135] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0067.135] lstrlenW (lpString="RpcSs") returned 5 [0067.135] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0067.135] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0067.135] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0067.135] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0067.135] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0067.135] lstrlenW (lpString="SamSs") returned 5 [0067.135] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0067.135] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0067.136] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0067.136] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0067.136] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0067.136] lstrlenW (lpString="Schedule") returned 8 [0067.136] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0067.136] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0067.136] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0067.136] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0067.136] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0067.136] lstrlenW (lpString="SENS") returned 4 [0067.136] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0067.136] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0067.136] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0067.136] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0067.136] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0067.136] lstrlenW (lpString="ShellHWDetection") returned 16 [0067.136] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0067.136] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0067.136] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0067.136] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0067.136] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0067.136] lstrlenW (lpString="Spooler") returned 7 [0067.136] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0067.136] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0067.137] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0067.137] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0067.137] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0067.137] lstrlenW (lpString="swprv") returned 5 [0067.137] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0067.137] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0067.137] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0067.137] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0067.137] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0067.137] lstrlenW (lpString="SysMain") returned 7 [0067.137] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0067.137] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0067.137] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0067.137] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0067.137] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0067.137] lstrlenW (lpString="Themes") returned 6 [0067.137] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0067.137] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0067.137] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0067.137] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0067.137] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0067.137] lstrlenW (lpString="TrkWks") returned 6 [0067.137] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0067.137] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0067.137] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0067.137] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0067.137] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0067.137] lstrlenW (lpString="UxSms") returned 5 [0067.137] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0067.137] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0067.137] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0067.137] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0067.138] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0067.138] lstrlenW (lpString="VSS") returned 3 [0067.138] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0067.138] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0067.138] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0067.138] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0067.138] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0067.138] lstrlenW (lpString="WdiServiceHost") returned 14 [0067.138] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0067.138] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0067.138] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0067.138] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0067.138] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0067.138] lstrlenW (lpString="WdiSystemHost") returned 13 [0067.138] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0067.138] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0067.138] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0067.138] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0067.138] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0067.138] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0067.138] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0067.138] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0067.138] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0067.138] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0067.138] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0067.138] lstrlenW (lpString="Winmgmt") returned 7 [0067.138] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0067.138] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0067.138] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0067.138] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0067.138] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0067.138] lstrlenW (lpString="WPDBusEnum") returned 10 [0067.139] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0067.139] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0067.139] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0067.139] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0067.139] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0067.139] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x675ed8 | out: hHeap=0x5f0000) returned 1 [0067.139] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1ac [0067.143] Process32FirstW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0067.143] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0067.143] lstrlenW (lpString="System") returned 6 [0067.143] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0067.143] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0067.143] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0067.143] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0067.143] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0067.143] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0067.143] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0067.143] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0067.144] lstrlenW (lpString="smss.exe") returned 8 [0067.144] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0067.144] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0067.144] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0067.144] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0067.144] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0067.144] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0067.144] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0067.144] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0067.144] lstrlenW (lpString="csrss.exe") returned 9 [0067.144] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0067.144] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0067.144] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0067.144] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0067.144] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0067.144] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0067.144] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0067.144] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0067.145] lstrlenW (lpString="wininit.exe") returned 11 [0067.145] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0067.145] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0067.145] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0067.145] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0067.145] lstrlenW (lpString="csrss.exe") returned 9 [0067.145] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0067.146] lstrlenW (lpString="winlogon.exe") returned 12 [0067.146] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0067.146] lstrlenW (lpString="services.exe") returned 12 [0067.146] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0067.146] lstrlenW (lpString="lsass.exe") returned 9 [0067.146] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0067.147] lstrlenW (lpString="lsm.exe") returned 7 [0067.147] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0067.147] lstrlenW (lpString="svchost.exe") returned 11 [0067.147] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0067.147] lstrlenW (lpString="svchost.exe") returned 11 [0067.147] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0067.148] lstrlenW (lpString="svchost.exe") returned 11 [0067.148] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0067.148] lstrlenW (lpString="svchost.exe") returned 11 [0067.148] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2e, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0067.148] lstrlenW (lpString="svchost.exe") returned 11 [0067.148] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0067.149] lstrlenW (lpString="audiodg.exe") returned 11 [0067.149] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0067.149] lstrlenW (lpString="svchost.exe") returned 11 [0067.149] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0067.149] lstrlenW (lpString="svchost.exe") returned 11 [0067.149] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0067.150] lstrlenW (lpString="dwm.exe") returned 7 [0067.150] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0067.150] lstrlenW (lpString="explorer.exe") returned 12 [0067.150] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0067.150] lstrlenW (lpString="spoolsv.exe") returned 11 [0067.150] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0067.151] lstrlenW (lpString="svchost.exe") returned 11 [0067.151] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0067.151] lstrlenW (lpString="taskhost.exe") returned 12 [0067.151] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0067.151] lstrlenW (lpString="taskeng.exe") returned 11 [0067.151] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="encryption-billing-finishing.exe")) returned 1 [0067.152] lstrlenW (lpString="encryption-billing-finishing.exe") returned 32 [0067.152] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="le_inn_ending.exe")) returned 1 [0067.152] lstrlenW (lpString="le_inn_ending.exe") returned 17 [0067.152] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="hung-automobiles-concerning.exe")) returned 1 [0067.152] lstrlenW (lpString="hung-automobiles-concerning.exe") returned 31 [0067.152] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="celebrateowen.exe")) returned 1 [0067.152] lstrlenW (lpString="celebrateowen.exe") returned 17 [0067.153] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="highlights.exe")) returned 1 [0067.153] lstrlenW (lpString="highlights.exe") returned 14 [0067.153] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="armorthunder.exe")) returned 1 [0067.153] lstrlenW (lpString="armorthunder.exe") returned 16 [0067.153] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sci_vietnam_baby.exe")) returned 1 [0067.153] lstrlenW (lpString="sci_vietnam_baby.exe") returned 20 [0067.154] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="root.exe")) returned 1 [0067.154] lstrlenW (lpString="root.exe") returned 8 [0067.154] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="searches.exe")) returned 1 [0067.154] lstrlenW (lpString="searches.exe") returned 12 [0067.154] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gnu.exe")) returned 1 [0067.154] lstrlenW (lpString="gnu.exe") returned 7 [0067.155] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lat differences.exe")) returned 1 [0067.155] lstrlenW (lpString="lat differences.exe") returned 19 [0067.155] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="wetdelayed.exe")) returned 1 [0067.155] lstrlenW (lpString="wetdelayed.exe") returned 14 [0067.155] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scarydm.exe")) returned 1 [0067.155] lstrlenW (lpString="scarydm.exe") returned 11 [0067.156] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="relating coating ride.exe")) returned 1 [0067.156] lstrlenW (lpString="relating coating ride.exe") returned 25 [0067.156] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="compressed.exe")) returned 1 [0067.156] lstrlenW (lpString="compressed.exe") returned 14 [0067.156] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x600, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="installing.exe")) returned 1 [0067.157] lstrlenW (lpString="installing.exe") returned 14 [0067.157] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="jewellerycoloradokijiji.exe")) returned 1 [0067.157] lstrlenW (lpString="jewellerycoloradokijiji.exe") returned 27 [0067.157] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="promote_counted_attempted.exe")) returned 1 [0067.157] lstrlenW (lpString="promote_counted_attempted.exe") returned 29 [0067.157] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0067.158] lstrlenW (lpString="3dftp.exe") returned 9 [0067.158] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0067.158] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0067.158] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0067.158] lstrlenW (lpString="alftp.exe") returned 9 [0067.158] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0067.159] lstrlenW (lpString="barca.exe") returned 9 [0067.159] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x664, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0067.159] lstrlenW (lpString="bitkinex.exe") returned 12 [0067.159] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0067.159] lstrlenW (lpString="coreftp.exe") returned 11 [0067.159] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0067.159] lstrlenW (lpString="far.exe") returned 7 [0067.160] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0067.160] lstrlenW (lpString="filezilla.exe") returned 13 [0067.160] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0067.160] lstrlenW (lpString="flashfxp.exe") returned 12 [0067.160] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0067.160] lstrlenW (lpString="fling.exe") returned 9 [0067.160] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0067.161] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0067.161] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0067.161] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0067.161] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0067.161] lstrlenW (lpString="icq.exe") returned 7 [0067.161] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0067.162] lstrlenW (lpString="leechftp.exe") returned 12 [0067.162] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0067.162] lstrlenW (lpString="ncftp.exe") returned 9 [0067.162] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0067.162] lstrlenW (lpString="notepad.exe") returned 11 [0067.162] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0067.163] lstrlenW (lpString="operamail.exe") returned 13 [0067.163] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0067.163] lstrlenW (lpString="pidgin.exe") returned 10 [0067.163] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0067.164] lstrlenW (lpString="scriptftp.exe") returned 13 [0067.164] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0067.164] lstrlenW (lpString="skype.exe") returned 9 [0067.164] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0067.165] lstrlenW (lpString="smartftp.exe") returned 12 [0067.165] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0067.165] lstrlenW (lpString="thunderbird.exe") returned 15 [0067.165] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0067.166] lstrlenW (lpString="totalcmd.exe") returned 12 [0067.166] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0067.166] lstrlenW (lpString="trillian.exe") returned 12 [0067.166] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0067.167] lstrlenW (lpString="webdrive.exe") returned 12 [0067.167] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0067.339] lstrlenW (lpString="whatsapp.exe") returned 12 [0067.340] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0067.340] lstrlenW (lpString="winscp.exe") returned 10 [0067.340] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0067.341] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0067.341] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0067.341] lstrlenW (lpString="active-charge.exe") returned 17 [0067.341] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0067.342] lstrlenW (lpString="accupos.exe") returned 11 [0067.342] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0067.342] lstrlenW (lpString="afr38.exe") returned 9 [0067.342] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0067.343] lstrlenW (lpString="aldelo.exe") returned 10 [0067.343] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0067.344] lstrlenW (lpString="ccv_server.exe") returned 14 [0067.344] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0067.344] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0067.344] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0067.345] lstrlenW (lpString="creditservice.exe") returned 17 [0067.345] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0067.345] lstrlenW (lpString="edcsvr.exe") returned 10 [0067.345] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0067.346] lstrlenW (lpString="fpos.exe") returned 8 [0067.346] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0067.346] lstrlenW (lpString="isspos.exe") returned 10 [0067.346] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0067.347] lstrlenW (lpString="mxslipstream.exe") returned 16 [0067.347] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0067.347] lstrlenW (lpString="omnipos.exe") returned 11 [0067.347] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0067.348] lstrlenW (lpString="spcwin.exe") returned 10 [0067.348] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0067.348] lstrlenW (lpString="spgagentservice.exe") returned 19 [0067.348] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0067.349] lstrlenW (lpString="utg2.exe") returned 8 [0067.349] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="november_objects.exe")) returned 1 [0067.349] lstrlenW (lpString="november_objects.exe") returned 20 [0067.349] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vitamins_dealt.exe")) returned 1 [0067.350] lstrlenW (lpString="vitamins_dealt.exe") returned 18 [0067.350] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="peace_bite.exe")) returned 1 [0067.350] lstrlenW (lpString="peace_bite.exe") returned 14 [0067.350] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="earthquake forbidden waiting.exe")) returned 1 [0067.351] lstrlenW (lpString="earthquake forbidden waiting.exe") returned 32 [0067.351] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0067.351] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0067.351] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0067.352] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0067.352] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0067.352] lstrlenW (lpString="taskhost.exe") returned 12 [0067.352] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0067.352] lstrlenW (lpString="winhost.exe") returned 11 [0067.353] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa1c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0067.353] lstrlenW (lpString="cmd.exe") returned 7 [0067.353] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0067.353] lstrlenW (lpString="conhost.exe") returned 11 [0067.354] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x5b8, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0067.354] lstrlenW (lpString="vssadmin.exe") returned 12 [0067.354] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0067.354] lstrlenW (lpString="VSSVC.exe") returned 9 [0067.354] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0067.356] lstrlenW (lpString="svchost.exe") returned 11 [0067.356] Process32NextW (in: hSnapshot=0x1ac, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0067.356] CloseHandle (hObject=0x1ac) returned 1 [0067.356] Sleep (dwMilliseconds=0x1f4) [0068.891] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x675208 [0068.891] EnumServicesStatusExW (in: hSCManager=0x675208, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 0 [0068.892] GetLastError () returned 0xea [0068.892] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x12c6) returned 0x675ed8 [0068.893] EnumServicesStatusExW (in: hSCManager=0x675208, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x675ed8, cbBufSize=0x12c6, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x675ed8, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 1 [0068.893] CloseServiceHandle (hSCObject=0x675208) returned 1 [0068.894] lstrlenW (lpString="Appinfo") returned 7 [0068.894] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0068.894] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0068.894] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0068.894] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0068.894] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0068.894] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0068.894] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0068.894] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0068.894] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0068.894] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0068.894] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0068.894] lstrlenW (lpString="AudioSrv") returned 8 [0068.895] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0068.895] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0068.895] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0068.895] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0068.895] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0068.895] lstrlenW (lpString="BFE") returned 3 [0068.895] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0068.895] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0068.895] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0068.895] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0068.895] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0068.895] lstrlenW (lpString="CryptSvc") returned 8 [0068.895] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0068.895] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0068.895] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0068.896] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0068.896] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0068.896] lstrlenW (lpString="CscService") returned 10 [0068.896] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0068.896] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0068.896] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0068.896] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0068.896] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0068.896] lstrlenW (lpString="DcomLaunch") returned 10 [0068.896] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0068.896] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0068.896] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0068.896] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0068.896] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0068.896] lstrlenW (lpString="Dhcp") returned 4 [0068.896] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0068.897] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0068.897] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0068.897] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0068.897] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0068.897] lstrlenW (lpString="Dnscache") returned 8 [0068.897] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0068.897] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0068.897] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0068.897] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0068.897] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0068.897] lstrlenW (lpString="DPS") returned 3 [0068.897] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0068.897] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0068.897] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0068.897] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0068.897] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0068.897] lstrlenW (lpString="eventlog") returned 8 [0068.897] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0068.897] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0068.897] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0068.898] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0068.898] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0068.898] lstrlenW (lpString="EventSystem") returned 11 [0068.898] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0068.898] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0068.898] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0068.898] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0068.898] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0068.898] lstrlenW (lpString="gpsvc") returned 5 [0068.898] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0068.898] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0068.898] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0068.898] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0068.898] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0068.898] lstrlenW (lpString="iphlpsvc") returned 8 [0068.898] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0068.898] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0068.898] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0068.898] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0068.898] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0068.898] lstrlenW (lpString="LanmanServer") returned 12 [0068.898] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0068.899] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0068.899] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0068.899] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0068.899] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0068.899] lstrlenW (lpString="LanmanWorkstation") returned 17 [0068.899] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0068.899] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0068.899] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0068.899] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0068.899] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0068.899] lstrlenW (lpString="lmhosts") returned 7 [0068.899] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0068.899] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0068.899] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0068.899] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0068.899] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0068.900] lstrlenW (lpString="MMCSS") returned 5 [0068.900] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0068.900] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0068.900] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0068.900] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0068.900] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0068.900] lstrlenW (lpString="MpsSvc") returned 6 [0068.900] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0068.900] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0068.900] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0068.900] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0068.900] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0068.900] lstrlenW (lpString="Netman") returned 6 [0068.900] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0068.900] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0068.900] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0068.900] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0068.900] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0068.900] lstrlenW (lpString="netprofm") returned 8 [0068.900] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0068.900] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0068.900] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0068.900] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0068.900] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0068.900] lstrlenW (lpString="NlaSvc") returned 6 [0068.900] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0068.901] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0068.901] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0068.901] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0068.901] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0068.901] lstrlenW (lpString="nsi") returned 3 [0068.901] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0068.901] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0068.901] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0068.901] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0068.901] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0068.901] lstrlenW (lpString="PcaSvc") returned 6 [0068.901] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0068.901] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0068.901] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0068.901] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0068.901] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0068.901] lstrlenW (lpString="PlugPlay") returned 8 [0068.901] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0068.901] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0068.901] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0068.901] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0068.901] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0068.901] lstrlenW (lpString="Power") returned 5 [0068.901] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0068.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0068.902] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0068.902] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0068.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0068.902] lstrlenW (lpString="ProfSvc") returned 7 [0068.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0068.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0068.902] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0068.902] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0068.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0068.902] lstrlenW (lpString="RpcEptMapper") returned 12 [0068.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0068.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0068.902] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0068.902] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0068.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0068.902] lstrlenW (lpString="RpcSs") returned 5 [0068.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0068.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0068.902] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0068.902] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0068.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0068.902] lstrlenW (lpString="SamSs") returned 5 [0068.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0068.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0068.903] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0068.903] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0068.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0068.903] lstrlenW (lpString="Schedule") returned 8 [0068.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0068.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0068.903] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0068.903] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0068.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0068.903] lstrlenW (lpString="SENS") returned 4 [0068.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0068.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0068.903] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0068.903] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0068.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0068.903] lstrlenW (lpString="ShellHWDetection") returned 16 [0068.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0068.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0068.903] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0068.903] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0068.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0068.904] lstrlenW (lpString="Spooler") returned 7 [0068.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0068.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0068.904] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0068.904] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0068.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0068.904] lstrlenW (lpString="swprv") returned 5 [0068.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0068.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0068.904] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0068.904] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0068.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0068.904] lstrlenW (lpString="SysMain") returned 7 [0068.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0068.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0068.904] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0068.904] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0068.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0068.904] lstrlenW (lpString="Themes") returned 6 [0068.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0068.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0068.904] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0068.905] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0068.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0068.905] lstrlenW (lpString="TrkWks") returned 6 [0068.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0068.905] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0068.905] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0068.905] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0068.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0068.905] lstrlenW (lpString="UxSms") returned 5 [0068.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0068.905] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0068.905] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0068.905] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0068.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0068.905] lstrlenW (lpString="VSS") returned 3 [0068.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0068.905] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0068.905] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0068.905] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0068.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0068.905] lstrlenW (lpString="WdiServiceHost") returned 14 [0068.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0068.906] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0068.906] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0068.906] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0068.906] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0068.906] lstrlenW (lpString="WdiSystemHost") returned 13 [0068.906] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0068.906] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0068.906] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0068.906] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0068.906] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0068.906] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0068.906] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0068.906] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0068.906] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0068.906] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0068.906] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0068.906] lstrlenW (lpString="Winmgmt") returned 7 [0068.906] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0068.906] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0068.906] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0068.906] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0068.906] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0068.907] lstrlenW (lpString="WPDBusEnum") returned 10 [0068.907] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0068.907] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0068.907] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0068.907] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0068.907] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0068.907] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x675ed8 | out: hHeap=0x5f0000) returned 1 [0068.907] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x204 [0068.912] Process32FirstW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0068.912] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0068.913] lstrlenW (lpString="System") returned 6 [0068.913] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0068.913] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0068.913] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0068.913] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0068.913] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0068.913] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0068.913] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0068.913] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0068.913] lstrlenW (lpString="smss.exe") returned 8 [0068.913] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0068.914] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0068.914] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0068.914] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0068.914] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0068.914] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0068.914] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0068.914] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0068.914] lstrlenW (lpString="csrss.exe") returned 9 [0068.914] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0068.914] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0068.914] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0068.914] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0068.914] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0068.915] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0068.915] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0068.915] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0068.915] lstrlenW (lpString="wininit.exe") returned 11 [0068.915] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0068.915] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0068.915] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0068.916] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0068.916] lstrlenW (lpString="csrss.exe") returned 9 [0068.916] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0068.916] lstrlenW (lpString="winlogon.exe") returned 12 [0068.917] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0068.917] lstrlenW (lpString="services.exe") returned 12 [0068.917] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0068.917] lstrlenW (lpString="lsass.exe") returned 9 [0068.917] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0068.918] lstrlenW (lpString="lsm.exe") returned 7 [0068.918] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0068.918] lstrlenW (lpString="svchost.exe") returned 11 [0068.918] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0068.919] lstrlenW (lpString="svchost.exe") returned 11 [0068.919] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0068.919] lstrlenW (lpString="svchost.exe") returned 11 [0068.919] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0068.919] lstrlenW (lpString="svchost.exe") returned 11 [0068.919] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2e, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0068.920] lstrlenW (lpString="svchost.exe") returned 11 [0068.920] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0068.920] lstrlenW (lpString="audiodg.exe") returned 11 [0068.920] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0068.921] lstrlenW (lpString="svchost.exe") returned 11 [0068.921] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0068.921] lstrlenW (lpString="svchost.exe") returned 11 [0068.921] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0068.922] lstrlenW (lpString="dwm.exe") returned 7 [0068.922] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0068.922] lstrlenW (lpString="explorer.exe") returned 12 [0068.922] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0068.922] lstrlenW (lpString="spoolsv.exe") returned 11 [0068.923] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0068.923] lstrlenW (lpString="svchost.exe") returned 11 [0068.923] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0068.923] lstrlenW (lpString="taskhost.exe") returned 12 [0068.923] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0068.924] lstrlenW (lpString="taskeng.exe") returned 11 [0068.924] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="encryption-billing-finishing.exe")) returned 1 [0068.924] lstrlenW (lpString="encryption-billing-finishing.exe") returned 32 [0068.924] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="le_inn_ending.exe")) returned 1 [0068.925] lstrlenW (lpString="le_inn_ending.exe") returned 17 [0068.925] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="hung-automobiles-concerning.exe")) returned 1 [0068.925] lstrlenW (lpString="hung-automobiles-concerning.exe") returned 31 [0068.925] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="celebrateowen.exe")) returned 1 [0068.926] lstrlenW (lpString="celebrateowen.exe") returned 17 [0068.926] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="highlights.exe")) returned 1 [0068.927] lstrlenW (lpString="highlights.exe") returned 14 [0068.927] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="armorthunder.exe")) returned 1 [0068.928] lstrlenW (lpString="armorthunder.exe") returned 16 [0068.928] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sci_vietnam_baby.exe")) returned 1 [0068.928] lstrlenW (lpString="sci_vietnam_baby.exe") returned 20 [0068.928] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="root.exe")) returned 1 [0068.928] lstrlenW (lpString="root.exe") returned 8 [0068.928] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="searches.exe")) returned 1 [0068.929] lstrlenW (lpString="searches.exe") returned 12 [0068.929] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gnu.exe")) returned 1 [0068.929] lstrlenW (lpString="gnu.exe") returned 7 [0068.929] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lat differences.exe")) returned 1 [0068.929] lstrlenW (lpString="lat differences.exe") returned 19 [0068.929] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="wetdelayed.exe")) returned 1 [0068.930] lstrlenW (lpString="wetdelayed.exe") returned 14 [0068.930] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scarydm.exe")) returned 1 [0068.930] lstrlenW (lpString="scarydm.exe") returned 11 [0069.263] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="relating coating ride.exe")) returned 1 [0069.263] lstrlenW (lpString="relating coating ride.exe") returned 25 [0069.264] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="compressed.exe")) returned 1 [0069.264] lstrlenW (lpString="compressed.exe") returned 14 [0069.264] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x600, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="installing.exe")) returned 1 [0069.264] lstrlenW (lpString="installing.exe") returned 14 [0069.265] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="jewellerycoloradokijiji.exe")) returned 1 [0069.265] lstrlenW (lpString="jewellerycoloradokijiji.exe") returned 27 [0069.265] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="promote_counted_attempted.exe")) returned 1 [0069.265] lstrlenW (lpString="promote_counted_attempted.exe") returned 29 [0069.265] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0069.266] lstrlenW (lpString="3dftp.exe") returned 9 [0069.266] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0069.266] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0069.266] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0069.267] lstrlenW (lpString="alftp.exe") returned 9 [0069.267] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0069.267] lstrlenW (lpString="barca.exe") returned 9 [0069.268] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x664, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0069.268] lstrlenW (lpString="bitkinex.exe") returned 12 [0069.268] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0069.268] lstrlenW (lpString="coreftp.exe") returned 11 [0069.269] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0069.269] lstrlenW (lpString="far.exe") returned 7 [0069.269] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0069.269] lstrlenW (lpString="filezilla.exe") returned 13 [0069.269] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0069.270] lstrlenW (lpString="flashfxp.exe") returned 12 [0069.270] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0069.270] lstrlenW (lpString="fling.exe") returned 9 [0069.270] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0069.271] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0069.271] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0069.271] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0069.271] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0069.272] lstrlenW (lpString="icq.exe") returned 7 [0069.272] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0069.272] lstrlenW (lpString="leechftp.exe") returned 12 [0069.272] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0069.273] lstrlenW (lpString="ncftp.exe") returned 9 [0069.273] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0069.274] lstrlenW (lpString="notepad.exe") returned 11 [0069.274] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0069.275] lstrlenW (lpString="operamail.exe") returned 13 [0069.275] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0069.275] lstrlenW (lpString="pidgin.exe") returned 10 [0069.276] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0069.276] lstrlenW (lpString="scriptftp.exe") returned 13 [0069.276] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0069.277] lstrlenW (lpString="skype.exe") returned 9 [0069.277] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0069.277] lstrlenW (lpString="smartftp.exe") returned 12 [0069.277] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0069.278] lstrlenW (lpString="thunderbird.exe") returned 15 [0069.278] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0069.279] lstrlenW (lpString="totalcmd.exe") returned 12 [0069.279] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0069.279] lstrlenW (lpString="trillian.exe") returned 12 [0069.279] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0069.280] lstrlenW (lpString="webdrive.exe") returned 12 [0069.280] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0069.280] lstrlenW (lpString="whatsapp.exe") returned 12 [0069.281] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0069.281] lstrlenW (lpString="winscp.exe") returned 10 [0069.281] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0069.282] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0069.282] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0069.282] lstrlenW (lpString="active-charge.exe") returned 17 [0069.282] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0069.283] lstrlenW (lpString="accupos.exe") returned 11 [0069.283] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0069.284] lstrlenW (lpString="afr38.exe") returned 9 [0069.284] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0069.284] lstrlenW (lpString="aldelo.exe") returned 10 [0069.284] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0069.285] lstrlenW (lpString="ccv_server.exe") returned 14 [0069.285] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0069.285] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0069.285] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0069.286] lstrlenW (lpString="creditservice.exe") returned 17 [0069.286] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0069.286] lstrlenW (lpString="edcsvr.exe") returned 10 [0069.286] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0069.287] lstrlenW (lpString="fpos.exe") returned 8 [0069.287] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0069.287] lstrlenW (lpString="isspos.exe") returned 10 [0069.288] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0069.288] lstrlenW (lpString="mxslipstream.exe") returned 16 [0069.288] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0069.289] lstrlenW (lpString="omnipos.exe") returned 11 [0069.289] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0069.289] lstrlenW (lpString="spcwin.exe") returned 10 [0069.289] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0069.290] lstrlenW (lpString="spgagentservice.exe") returned 19 [0069.290] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0069.291] lstrlenW (lpString="utg2.exe") returned 8 [0069.291] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="november_objects.exe")) returned 1 [0069.291] lstrlenW (lpString="november_objects.exe") returned 20 [0069.291] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vitamins_dealt.exe")) returned 1 [0069.292] lstrlenW (lpString="vitamins_dealt.exe") returned 18 [0069.292] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="peace_bite.exe")) returned 1 [0069.292] lstrlenW (lpString="peace_bite.exe") returned 14 [0069.292] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="earthquake forbidden waiting.exe")) returned 1 [0069.293] lstrlenW (lpString="earthquake forbidden waiting.exe") returned 32 [0069.293] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0069.293] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0069.293] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0069.294] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0069.294] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0069.294] lstrlenW (lpString="taskhost.exe") returned 12 [0069.294] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0069.295] lstrlenW (lpString="winhost.exe") returned 11 [0069.295] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa1c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0069.295] lstrlenW (lpString="cmd.exe") returned 7 [0069.295] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0069.296] lstrlenW (lpString="conhost.exe") returned 11 [0069.296] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x5b8, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0069.296] lstrlenW (lpString="vssadmin.exe") returned 12 [0069.296] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0069.297] lstrlenW (lpString="VSSVC.exe") returned 9 [0069.297] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0069.297] lstrlenW (lpString="svchost.exe") returned 11 [0069.297] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1ac, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0069.297] lstrlenW (lpString="LogonUI.exe") returned 11 [0069.298] Process32NextW (in: hSnapshot=0x204, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1ac, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 0 [0069.298] CloseHandle (hObject=0x204) returned 1 [0069.298] Sleep (dwMilliseconds=0x1f4) [0069.993] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x675168 [0069.994] EnumServicesStatusExW (in: hSCManager=0x675168, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 0 [0069.994] GetLastError () returned 0xea [0069.994] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x12c6) returned 0x677ed8 [0069.995] EnumServicesStatusExW (in: hSCManager=0x675168, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x677ed8, cbBufSize=0x12c6, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x677ed8, pcbBytesNeeded=0x1f0ff44, lpServicesReturned=0x1f0ff5c, lpResumeHandle=0x0) returned 1 [0069.995] CloseServiceHandle (hSCObject=0x675168) returned 1 [0069.995] lstrlenW (lpString="Appinfo") returned 7 [0069.995] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0069.995] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0069.995] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0069.995] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0069.995] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0069.995] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0069.996] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0069.996] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0069.996] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0069.996] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0069.996] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0069.996] lstrlenW (lpString="AudioSrv") returned 8 [0069.996] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0069.996] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0069.996] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0069.996] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0069.996] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0069.996] lstrlenW (lpString="BFE") returned 3 [0069.996] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0069.996] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0069.996] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0069.996] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0069.996] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0069.996] lstrlenW (lpString="CryptSvc") returned 8 [0069.996] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0069.996] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0069.996] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0069.996] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0069.996] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0069.996] lstrlenW (lpString="CscService") returned 10 [0069.996] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0069.996] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0069.996] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0069.996] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0069.996] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0069.996] lstrlenW (lpString="DcomLaunch") returned 10 [0069.996] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0069.996] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0069.996] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0069.996] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0069.996] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0069.996] lstrlenW (lpString="Dhcp") returned 4 [0069.996] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0069.996] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0069.997] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0069.997] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0069.997] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0069.997] lstrlenW (lpString="Dnscache") returned 8 [0069.997] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0069.997] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0069.997] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0069.997] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0069.997] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0069.997] lstrlenW (lpString="DPS") returned 3 [0069.997] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0069.997] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0069.997] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0069.997] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0069.997] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0069.997] lstrlenW (lpString="eventlog") returned 8 [0069.997] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0069.997] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0069.997] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0069.997] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0069.997] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0069.997] lstrlenW (lpString="EventSystem") returned 11 [0069.997] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0069.997] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0069.997] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0069.997] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0069.997] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0069.997] lstrlenW (lpString="gpsvc") returned 5 [0069.997] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0069.997] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0069.997] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0069.997] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0069.997] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0069.997] lstrlenW (lpString="iphlpsvc") returned 8 [0069.997] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0069.997] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0069.998] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0069.998] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0069.998] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0069.998] lstrlenW (lpString="LanmanServer") returned 12 [0069.998] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0069.998] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0069.998] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0069.998] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0069.998] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0069.998] lstrlenW (lpString="LanmanWorkstation") returned 17 [0069.998] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0069.998] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0069.998] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0069.998] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0069.998] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0069.998] lstrlenW (lpString="lmhosts") returned 7 [0069.998] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0069.998] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0069.998] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0069.998] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0069.998] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0069.998] lstrlenW (lpString="MMCSS") returned 5 [0069.998] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0069.998] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0069.998] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0069.998] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0069.998] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0069.998] lstrlenW (lpString="MpsSvc") returned 6 [0069.998] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0069.998] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0069.998] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0069.998] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0069.998] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0069.998] lstrlenW (lpString="Netman") returned 6 [0069.998] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0069.998] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0069.998] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0069.999] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0069.999] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0069.999] lstrlenW (lpString="netprofm") returned 8 [0069.999] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0069.999] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0069.999] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0069.999] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0069.999] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0069.999] lstrlenW (lpString="NlaSvc") returned 6 [0069.999] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0069.999] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0069.999] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0069.999] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0069.999] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0069.999] lstrlenW (lpString="nsi") returned 3 [0069.999] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0069.999] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0069.999] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0069.999] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0069.999] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0069.999] lstrlenW (lpString="PcaSvc") returned 6 [0069.999] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0069.999] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0069.999] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0069.999] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0069.999] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0069.999] lstrlenW (lpString="PlugPlay") returned 8 [0069.999] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0069.999] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0069.999] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0069.999] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0069.999] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0069.999] lstrlenW (lpString="Power") returned 5 [0069.999] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0069.999] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0069.999] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0069.999] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0069.999] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0069.999] lstrlenW (lpString="ProfSvc") returned 7 [0069.999] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0070.000] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0070.000] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0070.000] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0070.000] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0070.000] lstrlenW (lpString="RpcEptMapper") returned 12 [0070.000] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0070.000] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0070.000] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0070.000] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0070.000] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0070.000] lstrlenW (lpString="RpcSs") returned 5 [0070.000] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0070.000] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0070.000] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0070.000] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0070.000] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0070.000] lstrlenW (lpString="SamSs") returned 5 [0070.000] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0070.000] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0070.000] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0070.000] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0070.000] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0070.000] lstrlenW (lpString="Schedule") returned 8 [0070.000] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0070.000] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0070.000] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0070.000] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0070.000] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0070.000] lstrlenW (lpString="SENS") returned 4 [0070.000] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0070.000] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0070.000] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0070.000] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0070.000] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0070.000] lstrlenW (lpString="ShellHWDetection") returned 16 [0070.000] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0070.000] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0070.000] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0070.001] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0070.001] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0070.001] lstrlenW (lpString="Spooler") returned 7 [0070.001] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0070.001] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0070.001] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0070.001] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0070.001] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0070.001] lstrlenW (lpString="swprv") returned 5 [0070.001] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0070.001] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0070.001] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0070.001] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0070.001] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0070.001] lstrlenW (lpString="SysMain") returned 7 [0070.001] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0070.001] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0070.001] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0070.001] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0070.001] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0070.001] lstrlenW (lpString="Themes") returned 6 [0070.001] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0070.001] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0070.001] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0070.001] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0070.001] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0070.001] lstrlenW (lpString="TrkWks") returned 6 [0070.001] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0070.001] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0070.001] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0070.001] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0070.001] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0070.001] lstrlenW (lpString="UxSms") returned 5 [0070.001] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0070.001] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0070.001] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0070.001] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0070.001] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0070.001] lstrlenW (lpString="VSS") returned 3 [0070.002] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0070.002] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0070.002] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0070.002] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0070.002] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0070.002] lstrlenW (lpString="WdiServiceHost") returned 14 [0070.002] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0070.002] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0070.002] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0070.002] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0070.002] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0070.002] lstrlenW (lpString="WdiSystemHost") returned 13 [0070.002] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0070.002] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0070.002] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0070.002] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0070.002] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0070.002] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0070.002] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0070.002] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0070.002] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0070.002] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0070.002] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0070.002] lstrlenW (lpString="Winmgmt") returned 7 [0070.002] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0070.002] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0070.002] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0070.002] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0070.002] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0070.002] lstrlenW (lpString="WPDBusEnum") returned 10 [0070.002] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0070.002] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0070.002] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0070.002] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0070.002] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0070.002] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x677ed8 | out: hHeap=0x5f0000) returned 1 [0070.002] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x198 [0070.007] Process32FirstW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0070.008] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0070.008] lstrlenW (lpString="System") returned 6 [0070.008] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0070.008] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0070.008] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0070.008] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0070.008] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0070.008] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0070.008] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0070.008] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0070.008] lstrlenW (lpString="smss.exe") returned 8 [0070.008] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0070.008] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0070.008] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0070.008] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0070.008] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0070.009] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0070.009] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0070.009] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0070.009] lstrlenW (lpString="csrss.exe") returned 9 [0070.009] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0070.009] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0070.009] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0070.009] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0070.009] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0070.009] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0070.009] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0070.009] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0070.009] lstrlenW (lpString="wininit.exe") returned 11 [0070.009] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0070.009] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0070.009] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0070.010] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0070.010] lstrlenW (lpString="csrss.exe") returned 9 [0070.010] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0070.010] lstrlenW (lpString="winlogon.exe") returned 12 [0070.010] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0070.010] lstrlenW (lpString="services.exe") returned 12 [0070.010] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0070.011] lstrlenW (lpString="lsass.exe") returned 9 [0070.011] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0070.011] lstrlenW (lpString="lsm.exe") returned 7 [0070.011] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.011] lstrlenW (lpString="svchost.exe") returned 11 [0070.011] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.012] lstrlenW (lpString="svchost.exe") returned 11 [0070.012] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.012] lstrlenW (lpString="svchost.exe") returned 11 [0070.012] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.012] lstrlenW (lpString="svchost.exe") returned 11 [0070.012] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2e, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.013] lstrlenW (lpString="svchost.exe") returned 11 [0070.013] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0070.013] lstrlenW (lpString="audiodg.exe") returned 11 [0070.013] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.013] lstrlenW (lpString="svchost.exe") returned 11 [0070.013] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.013] lstrlenW (lpString="svchost.exe") returned 11 [0070.013] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0070.014] lstrlenW (lpString="dwm.exe") returned 7 [0070.014] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0070.014] lstrlenW (lpString="explorer.exe") returned 12 [0070.014] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0070.014] lstrlenW (lpString="spoolsv.exe") returned 11 [0070.014] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.016] lstrlenW (lpString="svchost.exe") returned 11 [0070.016] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0070.016] lstrlenW (lpString="taskhost.exe") returned 12 [0070.016] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0070.017] lstrlenW (lpString="taskeng.exe") returned 11 [0070.017] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="encryption-billing-finishing.exe")) returned 1 [0070.017] lstrlenW (lpString="encryption-billing-finishing.exe") returned 32 [0070.017] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="le_inn_ending.exe")) returned 1 [0070.017] lstrlenW (lpString="le_inn_ending.exe") returned 17 [0070.017] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="hung-automobiles-concerning.exe")) returned 1 [0070.018] lstrlenW (lpString="hung-automobiles-concerning.exe") returned 31 [0070.018] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="celebrateowen.exe")) returned 1 [0070.018] lstrlenW (lpString="celebrateowen.exe") returned 17 [0070.018] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="highlights.exe")) returned 1 [0070.018] lstrlenW (lpString="highlights.exe") returned 14 [0070.018] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="armorthunder.exe")) returned 1 [0070.018] lstrlenW (lpString="armorthunder.exe") returned 16 [0070.019] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sci_vietnam_baby.exe")) returned 1 [0070.019] lstrlenW (lpString="sci_vietnam_baby.exe") returned 20 [0070.019] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="root.exe")) returned 1 [0070.019] lstrlenW (lpString="root.exe") returned 8 [0070.019] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="searches.exe")) returned 1 [0070.019] lstrlenW (lpString="searches.exe") returned 12 [0070.019] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gnu.exe")) returned 1 [0070.020] lstrlenW (lpString="gnu.exe") returned 7 [0070.020] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lat differences.exe")) returned 1 [0070.020] lstrlenW (lpString="lat differences.exe") returned 19 [0070.020] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="wetdelayed.exe")) returned 1 [0070.020] lstrlenW (lpString="wetdelayed.exe") returned 14 [0070.020] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scarydm.exe")) returned 1 [0070.021] lstrlenW (lpString="scarydm.exe") returned 11 [0070.021] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="relating coating ride.exe")) returned 1 [0070.021] lstrlenW (lpString="relating coating ride.exe") returned 25 [0070.021] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="compressed.exe")) returned 1 [0070.021] lstrlenW (lpString="compressed.exe") returned 14 [0070.021] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x600, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="installing.exe")) returned 1 [0070.021] lstrlenW (lpString="installing.exe") returned 14 [0070.021] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="jewellerycoloradokijiji.exe")) returned 1 [0070.022] lstrlenW (lpString="jewellerycoloradokijiji.exe") returned 27 [0070.022] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="promote_counted_attempted.exe")) returned 1 [0070.022] lstrlenW (lpString="promote_counted_attempted.exe") returned 29 [0070.022] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0070.022] lstrlenW (lpString="3dftp.exe") returned 9 [0070.022] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0070.023] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0070.023] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0070.023] lstrlenW (lpString="alftp.exe") returned 9 [0070.023] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0070.023] lstrlenW (lpString="barca.exe") returned 9 [0070.023] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x664, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0070.024] lstrlenW (lpString="bitkinex.exe") returned 12 [0070.024] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0070.024] lstrlenW (lpString="coreftp.exe") returned 11 [0070.024] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0070.024] lstrlenW (lpString="far.exe") returned 7 [0070.024] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0070.025] lstrlenW (lpString="filezilla.exe") returned 13 [0070.025] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0070.025] lstrlenW (lpString="flashfxp.exe") returned 12 [0070.025] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0070.025] lstrlenW (lpString="fling.exe") returned 9 [0070.025] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0070.025] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0070.025] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0070.026] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0070.026] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0070.026] lstrlenW (lpString="icq.exe") returned 7 [0070.026] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0070.026] lstrlenW (lpString="leechftp.exe") returned 12 [0070.026] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0070.027] lstrlenW (lpString="ncftp.exe") returned 9 [0070.027] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0070.027] lstrlenW (lpString="notepad.exe") returned 11 [0070.027] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0070.027] lstrlenW (lpString="operamail.exe") returned 13 [0070.027] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0070.028] lstrlenW (lpString="pidgin.exe") returned 10 [0070.028] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0070.028] lstrlenW (lpString="scriptftp.exe") returned 13 [0070.028] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0070.029] lstrlenW (lpString="skype.exe") returned 9 [0070.029] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0070.029] lstrlenW (lpString="smartftp.exe") returned 12 [0070.029] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0070.030] lstrlenW (lpString="thunderbird.exe") returned 15 [0070.030] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0070.030] lstrlenW (lpString="totalcmd.exe") returned 12 [0070.030] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0070.031] lstrlenW (lpString="trillian.exe") returned 12 [0070.031] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0070.031] lstrlenW (lpString="webdrive.exe") returned 12 [0070.032] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0070.032] lstrlenW (lpString="whatsapp.exe") returned 12 [0070.032] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0070.033] lstrlenW (lpString="winscp.exe") returned 10 [0070.033] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0070.033] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0070.033] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0070.034] lstrlenW (lpString="active-charge.exe") returned 17 [0070.034] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0070.034] lstrlenW (lpString="accupos.exe") returned 11 [0070.034] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0070.035] lstrlenW (lpString="afr38.exe") returned 9 [0070.035] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0070.035] lstrlenW (lpString="aldelo.exe") returned 10 [0070.036] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0070.036] lstrlenW (lpString="ccv_server.exe") returned 14 [0070.036] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0070.037] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0070.037] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0070.037] lstrlenW (lpString="creditservice.exe") returned 17 [0070.037] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0070.038] lstrlenW (lpString="edcsvr.exe") returned 10 [0070.408] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0070.408] lstrlenW (lpString="fpos.exe") returned 8 [0070.408] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0070.409] lstrlenW (lpString="isspos.exe") returned 10 [0070.409] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0070.409] lstrlenW (lpString="mxslipstream.exe") returned 16 [0070.409] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0070.410] lstrlenW (lpString="omnipos.exe") returned 11 [0070.410] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0070.410] lstrlenW (lpString="spcwin.exe") returned 10 [0070.410] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0070.410] lstrlenW (lpString="spgagentservice.exe") returned 19 [0070.410] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0070.411] lstrlenW (lpString="utg2.exe") returned 8 [0070.411] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="november_objects.exe")) returned 1 [0070.411] lstrlenW (lpString="november_objects.exe") returned 20 [0070.411] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vitamins_dealt.exe")) returned 1 [0070.411] lstrlenW (lpString="vitamins_dealt.exe") returned 18 [0070.411] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="peace_bite.exe")) returned 1 [0070.412] lstrlenW (lpString="peace_bite.exe") returned 14 [0070.412] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="earthquake forbidden waiting.exe")) returned 1 [0070.412] lstrlenW (lpString="earthquake forbidden waiting.exe") returned 32 [0070.412] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0070.413] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0070.413] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0070.413] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0070.413] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0070.413] lstrlenW (lpString="taskhost.exe") returned 12 [0070.414] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winhost.exe")) returned 1 [0070.414] lstrlenW (lpString="winhost.exe") returned 11 [0070.414] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa1c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0070.414] lstrlenW (lpString="cmd.exe") returned 7 [0070.414] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0070.414] lstrlenW (lpString="conhost.exe") returned 11 [0070.415] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x5b8, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0070.415] lstrlenW (lpString="vssadmin.exe") returned 12 [0070.415] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0070.415] lstrlenW (lpString="VSSVC.exe") returned 9 [0070.415] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.416] lstrlenW (lpString="svchost.exe") returned 11 [0070.416] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1ac, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0070.416] lstrlenW (lpString="LogonUI.exe") returned 11 [0070.416] Process32NextW (in: hSnapshot=0x198, lppe=0x1f0fd34 | out: lppe=0x1f0fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1ac, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 0 [0070.416] CloseHandle (hObject=0x198) returned 1 [0070.416] Sleep (dwMilliseconds=0x1f4) Thread: id = 6 os_tid = 0x534 [0044.404] WaitForSingleObject (hHandle=0x18fde4, dwMilliseconds=0xffffffff) returned 0xffffffff [0044.404] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x624ff8 | out: hHeap=0x5f0000) returned 1 Thread: id = 7 os_tid = 0x70c [0044.405] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624ff8 [0044.405] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624ff8, Size=0x20) returned 0x625f98 [0044.405] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x625f98, Size=0x40) returned 0x6278f0 [0044.405] GetLogicalDrives () returned 0x4 [0044.405] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x64da78 [0044.405] GetComputerNameW (in: lpBuffer=0x64da7c, nSize=0x24eff6c | out: lpBuffer="XDUWTFONO", nSize=0x24eff6c) returned 1 [0044.406] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x1000) returned 0x6456e0 [0044.406] WNetOpenEnumW (in: dwScope=0x3, dwType=0x1, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x24eff3c | out: lphEnum=0x24eff3c*=0x626660) returned 0x0 [0044.406] WNetEnumResourceW (in: hEnum=0x626660, lpcCount=0x24eff38, lpBuffer=0x6456e0, lpBufferSize=0x24eff40 | out: lpcCount=0x24eff38, lpBuffer=0x6456e0, lpBufferSize=0x24eff40) returned 0x103 [0044.407] WNetCloseEnum (hEnum=0x626660) returned 0x0 [0044.407] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x24eff3c | out: lphEnum=0x24eff3c*=0x40110b8) returned 0x0 [0048.441] WNetEnumResourceW (in: hEnum=0x40110b8, lpcCount=0x24eff38, lpBuffer=0x6456e0, lpBufferSize=0x24eff40 | out: lpcCount=0x24eff38, lpBuffer=0x6456e0, lpBufferSize=0x24eff40) returned 0x0 [0048.441] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x1000) returned 0x4010058 [0048.441] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x6456e0, lphEnum=0x24eff10 | out: lphEnum=0x24eff10*=0x6269c0) returned 0x0 [0048.502] WNetEnumResourceW (in: hEnum=0x6269c0, lpcCount=0x24eff0c, lpBuffer=0x4010058, lpBufferSize=0x24eff14 | out: lpcCount=0x24eff0c, lpBuffer=0x4010058, lpBufferSize=0x24eff14) returned 0x103 [0048.502] WNetCloseEnum (hEnum=0x6269c0) returned 0x0 [0048.502] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x1000) returned 0x671aa0 [0048.503] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x645700, lphEnum=0x24eff10 | out: lphEnum=0x24eff10*=0x0) returned 0x4b8 [0069.469] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x1000) returned 0x40590d0 [0069.469] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x645720, lphEnum=0x24eff10 | out: lphEnum=0x24eff10*=0x0) returned 0x4c6 [0069.937] WNetEnumResourceW (in: hEnum=0x40110b8, lpcCount=0x24eff38, lpBuffer=0x6456e0, lpBufferSize=0x24eff40 | out: lpcCount=0x24eff38, lpBuffer=0x6456e0, lpBufferSize=0x24eff40) returned 0x103 [0069.937] WNetCloseEnum (hEnum=0x40110b8) returned 0x0 [0069.937] GetLogicalDrives () returned 0x4 [0069.937] Sleep (dwMilliseconds=0x64) [0070.408] GetLogicalDrives () returned 0x4 [0070.408] Sleep (dwMilliseconds=0x64) [0070.901] GetLogicalDrives () returned 0x4 [0070.901] Sleep (dwMilliseconds=0x64) Thread: id = 8 os_tid = 0x290 [0045.836] GetTickCount () returned 0x1144bdf [0045.836] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x24) returned 0x680058 [0045.836] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x680058, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x124 [0045.845] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x680058, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x128 [0045.848] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x680058, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x12c [0045.849] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x680058, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x130 [0045.851] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x646910 [0045.851] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x646910, Size=0x20) returned 0x626358 [0045.851] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x646910 [0045.851] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x646910, Size=0x20) returned 0x626380 [0045.852] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0045.852] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0045.852] Wow64DisableWow64FsRedirection (in: OldValue=0x25eff84 | out: OldValue=0x25eff84*=0x0) returned 1 [0045.852] lstrlenW (lpString="kernel32.dll") returned 12 [0045.852] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x626358 | out: hHeap=0x5f0000) returned 1 [0045.852] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0045.852] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x626380 | out: hHeap=0x5f0000) returned 1 [0045.852] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091a0, lpParameter=0x62ba68, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x134 [0045.853] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0045.974] GetTickCount () returned 0x1144c6c [0045.974] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0046.471] GetTickCount () returned 0x1144d17 [0046.471] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0047.472] GetTickCount () returned 0x1144de2 [0047.472] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0047.734] GetTickCount () returned 0x1144e6f [0047.734] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0047.847] GetTickCount () returned 0x1144edc [0047.847] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0047.948] GetTickCount () returned 0x1144f49 [0047.948] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0048.092] GetTickCount () returned 0x1144fd5 [0048.092] GetTickCount () returned 0x1144fd5 [0048.092] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0048.473] GetTickCount () returned 0x1145071 [0048.473] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0048.807] GetTickCount () returned 0x114511d [0048.807] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0048.985] GetTickCount () returned 0x11451c9 [0048.986] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0049.520] GetTickCount () returned 0x1145255 [0049.520] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0049.639] GetTickCount () returned 0x11452d2 [0049.639] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0049.745] GetTickCount () returned 0x114533f [0049.745] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0049.852] GetTickCount () returned 0x11453ac [0049.852] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0049.965] GetTickCount () returned 0x1145419 [0049.965] GetTickCount () returned 0x1145419 [0049.965] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0050.070] GetTickCount () returned 0x1145487 [0050.070] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0050.180] GetTickCount () returned 0x11454f4 [0050.180] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0050.289] GetTickCount () returned 0x1145561 [0050.289] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0050.398] GetTickCount () returned 0x11455ce [0050.399] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0051.116] GetTickCount () returned 0x1145745 [0051.116] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0051.546] GetTickCount () returned 0x11458ea [0051.546] GetTickCount () returned 0x11458ea [0051.546] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0052.115] GetTickCount () returned 0x1145aed [0052.115] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0052.667] GetTickCount () returned 0x1145ce0 [0052.667] GetTickCount () returned 0x1145cef [0052.677] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0053.081] GetTickCount () returned 0x1145e37 [0053.081] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0053.419] GetTickCount () returned 0x1145f50 [0053.419] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0053.813] GetTickCount () returned 0x1146078 [0053.813] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0054.616] GetTickCount () returned 0x11463a3 [0054.616] GetTickCount () returned 0x11463a3 [0054.616] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0054.893] GetTickCount () returned 0x11464bc [0054.893] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0056.101] GetTickCount () returned 0x114696d [0056.101] GetTickCount () returned 0x114696d [0056.101] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0056.323] GetTickCount () returned 0x1146a29 [0056.323] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0056.512] GetTickCount () returned 0x1146ab5 [0056.512] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0056.606] GetTickCount () returned 0x1146b22 [0056.606] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0056.716] GetTickCount () returned 0x1146b8f [0056.716] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0056.830] GetTickCount () returned 0x1146bfd [0056.830] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0056.934] GetTickCount () returned 0x1146c6a [0056.934] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0057.043] GetTickCount () returned 0x1146cd7 [0057.043] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0057.153] GetTickCount () returned 0x1146d44 [0057.153] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0057.262] GetTickCount () returned 0x1146db1 [0057.262] GetTickCount () returned 0x1146db1 [0057.262] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0057.371] GetTickCount () returned 0x1146e1f [0057.371] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0057.481] GetTickCount () returned 0x1146e8c [0057.481] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0057.590] GetTickCount () returned 0x1146ef9 [0057.590] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0057.699] GetTickCount () returned 0x1146f66 [0057.699] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0057.809] GetTickCount () returned 0x1146fd3 [0057.809] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0058.047] GetTickCount () returned 0x11470bd [0058.047] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0058.341] GetTickCount () returned 0x11471e6 [0058.341] GetTickCount () returned 0x11471e6 [0058.341] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0058.613] GetTickCount () returned 0x11472ef [0058.613] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0058.932] GetTickCount () returned 0x1147437 [0058.932] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0059.091] GetTickCount () returned 0x11474d3 [0059.091] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0059.599] GetTickCount () returned 0x1147697 [0059.599] GetTickCount () returned 0x1147697 [0059.599] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0060.456] GetTickCount () returned 0x1147993 [0060.456] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0060.864] GetTickCount () returned 0x1147b29 [0060.864] GetTickCount () returned 0x1147b29 [0060.864] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0061.092] GetTickCount () returned 0x1147c13 [0061.092] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0061.429] GetTickCount () returned 0x1147d6a [0061.429] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0062.284] GetTickCount () returned 0x1148095 [0062.284] GetTickCount () returned 0x1148095 [0062.284] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0062.428] GetTickCount () returned 0x1148131 [0062.428] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0062.960] GetTickCount () returned 0x1148344 [0062.960] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0063.088] GetTickCount () returned 0x11483c1 [0063.088] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0063.190] GetTickCount () returned 0x114842e [0063.190] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0063.300] GetTickCount () returned 0x114849b [0063.300] GetTickCount () returned 0x114849b [0063.300] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0063.408] GetTickCount () returned 0x1148508 [0063.408] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0063.517] GetTickCount () returned 0x1148575 [0063.517] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0063.887] GetTickCount () returned 0x11486dc [0063.887] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0064.012] GetTickCount () returned 0x1148749 [0064.012] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0064.111] GetTickCount () returned 0x11487b7 [0064.111] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0064.377] GetTickCount () returned 0x11488c0 [0064.377] GetTickCount () returned 0x11488c0 [0064.377] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0064.583] GetTickCount () returned 0x114898b [0064.583] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0064.707] GetTickCount () returned 0x1148a07 [0064.707] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0064.925] GetTickCount () returned 0x1148ae2 [0064.925] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0065.117] GetTickCount () returned 0x1148b9d [0065.117] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0065.424] GetTickCount () returned 0x1148cd5 [0065.424] GetTickCount () returned 0x1148cd5 [0065.424] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0066.701] GetTickCount () returned 0x11491c5 [0066.701] GetTickCount () returned 0x11491c5 [0066.701] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0066.903] GetTickCount () returned 0x1149290 [0066.903] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0067.122] GetTickCount () returned 0x114936a [0067.122] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0067.410] GetTickCount () returned 0x1149483 [0067.410] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0067.672] GetTickCount () returned 0x114958c [0067.672] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0068.239] GetTickCount () returned 0x11497be [0068.239] GetTickCount () returned 0x11497be [0068.239] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0069.129] GetTickCount () returned 0x1149b37 [0069.129] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0069.811] GetTickCount () returned 0x1149de5 [0069.811] GetTickCount () returned 0x1149de5 [0069.811] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0070.038] GetTickCount () returned 0x1149ecf [0070.038] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0070.799] GetTickCount () returned 0x114a1bc [0070.800] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) Thread: id = 10 os_tid = 0x364 [0047.341] GetTickCount () returned 0x1144d65 [0047.341] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x24) returned 0x680800 [0047.341] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x680800, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x140 [0047.343] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x680800, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x144 [0047.350] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x680800, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x148 [0047.356] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x680800, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x14c [0047.364] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x646a00 [0047.364] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x646a00, Size=0x20) returned 0x63c690 [0047.364] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x646a00 [0047.364] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x646a00, Size=0x20) returned 0x63c708 [0047.365] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0047.365] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0047.365] Wow64DisableWow64FsRedirection (in: OldValue=0x23eff84 | out: OldValue=0x23eff84*=0x0) returned 1 [0047.365] lstrlenW (lpString="kernel32.dll") returned 12 [0047.365] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63c690 | out: hHeap=0x5f0000) returned 1 [0047.365] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0047.365] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63c708 | out: hHeap=0x5f0000) returned 1 [0047.365] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091a0, lpParameter=0x65da80, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x150 [0047.388] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0047.526] GetTickCount () returned 0x1144e11 [0047.526] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0047.785] GetTickCount () returned 0x1144e9d [0047.785] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0047.918] GetTickCount () returned 0x1144f2a [0047.918] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0048.028] GetTickCount () returned 0x1144f97 [0048.028] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0048.362] GetTickCount () returned 0x1145004 [0048.362] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0048.507] GetTickCount () returned 0x1145091 [0048.507] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0048.890] GetTickCount () returned 0x114516b [0048.890] GetTickCount () returned 0x114516b [0048.890] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0049.003] GetTickCount () returned 0x11451d8 [0049.003] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0049.520] GetTickCount () returned 0x1145255 [0049.520] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0049.640] GetTickCount () returned 0x11452d2 [0049.640] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0049.745] GetTickCount () returned 0x114533f [0049.745] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0049.852] GetTickCount () returned 0x11453ac [0049.852] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0049.965] GetTickCount () returned 0x1145419 [0049.965] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0050.070] GetTickCount () returned 0x1145487 [0050.070] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0050.180] GetTickCount () returned 0x11454f4 [0050.180] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0050.288] GetTickCount () returned 0x1145561 [0050.288] GetTickCount () returned 0x1145561 [0050.288] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0050.399] GetTickCount () returned 0x11455ce [0050.399] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0051.116] GetTickCount () returned 0x1145745 [0051.116] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0051.546] GetTickCount () returned 0x11458ea [0051.546] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0052.114] GetTickCount () returned 0x1145aed [0052.115] GetTickCount () returned 0x1145aed [0052.115] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0052.667] GetTickCount () returned 0x1145ce0 [0052.667] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0053.081] GetTickCount () returned 0x1145e37 [0053.081] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0053.418] GetTickCount () returned 0x1145f50 [0053.418] GetTickCount () returned 0x1145f50 [0053.418] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0053.813] GetTickCount () returned 0x1146078 [0053.813] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0054.616] GetTickCount () returned 0x11463a3 [0054.616] GetTickCount () returned 0x11463a3 [0054.616] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0054.894] GetTickCount () returned 0x11464bc [0054.894] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0056.101] GetTickCount () returned 0x114696d [0056.101] GetTickCount () returned 0x114696d [0056.101] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0056.324] GetTickCount () returned 0x1146a29 [0056.324] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0056.512] GetTickCount () returned 0x1146ab5 [0056.512] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0056.606] GetTickCount () returned 0x1146b22 [0056.606] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0056.716] GetTickCount () returned 0x1146b8f [0056.716] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0056.830] GetTickCount () returned 0x1146bfd [0056.830] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0056.934] GetTickCount () returned 0x1146c6a [0056.934] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0057.043] GetTickCount () returned 0x1146cd7 [0057.043] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0057.152] GetTickCount () returned 0x1146d44 [0057.152] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0057.262] GetTickCount () returned 0x1146db1 [0057.262] GetTickCount () returned 0x1146db1 [0057.262] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0057.371] GetTickCount () returned 0x1146e1f [0057.371] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0057.481] GetTickCount () returned 0x1146e8c [0057.481] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0057.590] GetTickCount () returned 0x1146ef9 [0057.590] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0057.699] GetTickCount () returned 0x1146f66 [0057.699] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0057.809] GetTickCount () returned 0x1146fd3 [0057.809] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0058.046] GetTickCount () returned 0x11470bd [0058.046] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0058.340] GetTickCount () returned 0x11471e6 [0058.340] GetTickCount () returned 0x11471e6 [0058.340] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0058.613] GetTickCount () returned 0x11472ef [0058.613] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0058.931] GetTickCount () returned 0x1147437 [0058.931] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0059.091] GetTickCount () returned 0x11474d3 [0059.092] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0059.590] GetTickCount () returned 0x1147697 [0059.590] GetTickCount () returned 0x1147697 [0059.590] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0060.447] GetTickCount () returned 0x1147993 [0060.456] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0060.864] GetTickCount () returned 0x1147b29 [0060.864] GetTickCount () returned 0x1147b29 [0060.864] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0061.092] GetTickCount () returned 0x1147c13 [0061.092] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0061.428] GetTickCount () returned 0x1147d6a [0061.428] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0062.284] GetTickCount () returned 0x1148095 [0062.284] GetTickCount () returned 0x1148095 [0062.284] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0062.428] GetTickCount () returned 0x1148131 [0062.428] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0062.960] GetTickCount () returned 0x1148344 [0062.960] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0063.089] GetTickCount () returned 0x11483c1 [0063.089] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0063.190] GetTickCount () returned 0x114842e [0063.190] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0063.300] GetTickCount () returned 0x114849b [0063.300] GetTickCount () returned 0x114849b [0063.300] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0063.408] GetTickCount () returned 0x1148508 [0063.408] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0063.518] GetTickCount () returned 0x1148575 [0063.518] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0063.887] GetTickCount () returned 0x11486dc [0063.887] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0064.012] GetTickCount () returned 0x1148749 [0064.012] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0064.111] GetTickCount () returned 0x11487b7 [0064.111] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0064.377] GetTickCount () returned 0x11488c0 [0064.377] GetTickCount () returned 0x11488c0 [0064.377] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0064.583] GetTickCount () returned 0x114898b [0064.583] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0064.707] GetTickCount () returned 0x1148a07 [0064.707] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0064.925] GetTickCount () returned 0x1148ae2 [0064.926] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0065.117] GetTickCount () returned 0x1148b9d [0065.117] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0065.424] GetTickCount () returned 0x1148cd5 [0065.431] GetTickCount () returned 0x1148cd5 [0065.431] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0066.701] GetTickCount () returned 0x11491c5 [0066.701] GetTickCount () returned 0x11491c5 [0066.701] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0066.903] GetTickCount () returned 0x1149290 [0066.904] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0067.122] GetTickCount () returned 0x114936a [0067.122] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0067.410] GetTickCount () returned 0x1149483 [0067.410] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0067.680] GetTickCount () returned 0x114958c [0067.680] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0068.239] GetTickCount () returned 0x11497be [0068.239] GetTickCount () returned 0x11497be [0068.239] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0069.129] GetTickCount () returned 0x1149b37 [0069.129] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0069.811] GetTickCount () returned 0x1149de5 [0069.811] GetTickCount () returned 0x1149de5 [0069.811] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0070.039] GetTickCount () returned 0x1149ecf [0070.039] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0070.800] GetTickCount () returned 0x114a1bc [0070.800] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) Thread: id = 11 os_tid = 0x7c4 [0047.342] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10000) returned 0x680cb8 [0047.342] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10000) returned 0x690cc0 [0047.342] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x6468c8 [0047.342] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x6) returned 0x63ce58 [0047.342] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x646988 [0047.342] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x100000) returned 0x3170020 [0047.343] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x646910 [0047.343] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x646910, Size=0x20) returned 0x63c690 [0047.343] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x646910 [0047.343] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x646910, Size=0x20) returned 0x63c708 [0047.343] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0047.343] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0047.343] Wow64DisableWow64FsRedirection (in: OldValue=0x2b2ff58 | out: OldValue=0x2b2ff58*=0x0) returned 1 [0047.343] lstrlenW (lpString="kernel32.dll") returned 12 [0047.343] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63c690 | out: hHeap=0x5f0000) returned 1 [0047.343] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0047.343] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63c708 | out: hHeap=0x5f0000) returned 1 [0047.343] Sleep (dwMilliseconds=0x64) [0047.494] Sleep (dwMilliseconds=0x64) [0047.735] Sleep (dwMilliseconds=0x64) [0047.847] Sleep (dwMilliseconds=0x64) [0047.950] Sleep (dwMilliseconds=0x64) [0048.093] Sleep (dwMilliseconds=0x64) [0048.473] Sleep (dwMilliseconds=0x64) [0048.820] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0048.820] lstrlenW (lpString="Setup.xml") returned 9 [0048.820] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0048.820] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=1886) returned 1 [0048.820] CloseHandle (hObject=0x184) returned 1 [0048.820] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0048.820] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0048.820] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0048.821] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.821] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.821] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0048.821] GetLastError () returned 0x0 [0048.821] ReadFile (in: hFile=0x184, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x75e, lpOverlapped=0x0) returned 1 [0049.904] WriteFile (in: hFile=0x194, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0x760, lpOverlapped=0x0) returned 1 [0049.905] ReadFile (in: hFile=0x184, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.905] WriteFile (in: hFile=0x194, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0049.905] SetEndOfFile (hFile=0x194) returned 1 [0049.905] CloseHandle (hObject=0x194) returned 1 [0049.907] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.907] SetEndOfFile (hFile=0x184) returned 1 [0049.908] CloseHandle (hObject=0x184) returned 1 [0049.908] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0049.908] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0049.909] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0049.909] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0049.909] lstrlenW (lpString=".doc") returned 4 [0049.909] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0049.909] lstrlenW (lpString=".docx") returned 5 [0049.909] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0049.909] lstrlenW (lpString=".pdf") returned 4 [0049.909] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0049.909] lstrlenW (lpString=".xls") returned 4 [0049.909] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0049.909] lstrlenW (lpString=".xlsx") returned 5 [0049.909] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0049.909] lstrlenW (lpString=".ppt") returned 4 [0049.909] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0049.909] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0049.909] lstrlenW (lpString=".zip") returned 4 [0049.909] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0049.909] lstrlenW (lpString=".rar") returned 4 [0049.909] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0049.909] lstrlenW (lpString=".bz2") returned 4 [0049.909] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0049.909] lstrlenW (lpString=".7z") returned 3 [0049.909] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0049.909] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0049.909] lstrlenW (lpString=".dbf") returned 4 [0049.909] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0049.909] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0049.909] lstrlenW (lpString=".1cd") returned 4 [0049.909] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0049.909] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0049.909] lstrlenW (lpString=".jpg") returned 4 [0049.910] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0049.910] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0049.910] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0049.910] lstrlenW (lpString=".doc") returned 4 [0049.910] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0049.910] lstrlenW (lpString=".docx") returned 5 [0049.910] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0049.910] lstrlenW (lpString=".pdf") returned 4 [0049.910] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0049.910] lstrlenW (lpString=".xls") returned 4 [0049.910] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0049.910] lstrlenW (lpString=".xlsx") returned 5 [0049.910] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0049.910] lstrlenW (lpString=".ppt") returned 4 [0049.910] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0049.910] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0049.910] lstrlenW (lpString=".zip") returned 4 [0049.910] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0049.910] lstrlenW (lpString=".rar") returned 4 [0049.910] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0049.910] lstrlenW (lpString=".bz2") returned 4 [0049.910] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0049.910] lstrlenW (lpString=".7z") returned 3 [0049.910] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0049.910] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0049.910] lstrlenW (lpString=".dbf") returned 4 [0049.910] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0049.910] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0049.910] lstrlenW (lpString=".1cd") returned 4 [0049.910] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0049.910] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0049.910] lstrlenW (lpString=".jpg") returned 4 [0049.910] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0049.911] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0049.911] lstrlenW (lpString="Proof.xml") returned 9 [0049.911] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0049.911] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=1457) returned 1 [0049.911] CloseHandle (hObject=0x184) returned 1 [0049.911] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml")) returned 0x2020 [0049.911] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0049.911] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0049.911] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.911] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.911] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0049.912] GetLastError () returned 0x0 [0049.912] ReadFile (in: hFile=0x184, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x5b1, lpOverlapped=0x0) returned 1 [0051.132] WriteFile (in: hFile=0x194, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0x5c0, lpOverlapped=0x0) returned 1 [0051.133] ReadFile (in: hFile=0x184, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.133] WriteFile (in: hFile=0x194, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0051.133] SetEndOfFile (hFile=0x194) returned 1 [0051.134] CloseHandle (hObject=0x194) returned 1 [0051.135] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.135] SetEndOfFile (hFile=0x184) returned 1 [0051.136] CloseHandle (hObject=0x184) returned 1 [0051.136] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0051.137] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml")) returned 1 [0051.137] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0051.137] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0051.137] lstrlenW (lpString=".doc") returned 4 [0051.137] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0051.137] lstrlenW (lpString=".docx") returned 5 [0051.137] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0051.137] lstrlenW (lpString=".pdf") returned 4 [0051.137] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0051.137] lstrlenW (lpString=".xls") returned 4 [0051.137] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0051.137] lstrlenW (lpString=".xlsx") returned 5 [0051.137] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0051.137] lstrlenW (lpString=".ppt") returned 4 [0051.138] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0051.138] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0051.138] lstrlenW (lpString=".zip") returned 4 [0051.138] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0051.138] lstrlenW (lpString=".rar") returned 4 [0051.138] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0051.138] lstrlenW (lpString=".bz2") returned 4 [0051.138] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0051.138] lstrlenW (lpString=".7z") returned 3 [0051.138] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0051.138] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0051.138] lstrlenW (lpString=".dbf") returned 4 [0051.138] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0051.138] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0051.138] lstrlenW (lpString=".1cd") returned 4 [0051.138] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0051.138] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0051.138] lstrlenW (lpString=".jpg") returned 4 [0051.138] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0051.138] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0051.138] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0051.138] lstrlenW (lpString=".doc") returned 4 [0051.138] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0051.138] lstrlenW (lpString=".docx") returned 5 [0051.138] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0051.139] lstrlenW (lpString=".pdf") returned 4 [0051.139] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0051.139] lstrlenW (lpString=".xls") returned 4 [0051.139] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0051.139] lstrlenW (lpString=".xlsx") returned 5 [0051.139] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0051.139] lstrlenW (lpString=".ppt") returned 4 [0051.139] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0051.139] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0051.139] lstrlenW (lpString=".zip") returned 4 [0051.139] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0051.139] lstrlenW (lpString=".rar") returned 4 [0051.139] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0051.139] lstrlenW (lpString=".bz2") returned 4 [0051.139] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0051.139] lstrlenW (lpString=".7z") returned 3 [0051.139] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0051.139] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0051.139] lstrlenW (lpString=".dbf") returned 4 [0051.139] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0051.139] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0051.139] lstrlenW (lpString=".1cd") returned 4 [0051.139] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0051.139] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0051.139] lstrlenW (lpString=".jpg") returned 4 [0051.139] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0051.140] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0051.140] lstrlenW (lpString="Office32MUI.xml") returned 15 [0051.140] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0051.141] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=1383) returned 1 [0051.141] CloseHandle (hObject=0x184) returned 1 [0051.141] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml")) returned 0x2020 [0051.141] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0051.141] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0051.142] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.142] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.142] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0051.142] GetLastError () returned 0x0 [0051.142] ReadFile (in: hFile=0x184, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x567, lpOverlapped=0x0) returned 1 [0051.252] WriteFile (in: hFile=0x194, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0x570, lpOverlapped=0x0) returned 1 [0051.254] ReadFile (in: hFile=0x184, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.254] WriteFile (in: hFile=0x194, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0xf2, lpOverlapped=0x0) returned 1 [0051.254] SetEndOfFile (hFile=0x194) returned 1 [0051.254] CloseHandle (hObject=0x194) returned 1 [0051.255] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.255] SetEndOfFile (hFile=0x184) returned 1 [0051.257] CloseHandle (hObject=0x184) returned 1 [0051.257] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0051.257] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml")) returned 1 [0051.258] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0051.258] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0051.258] lstrlenW (lpString=".doc") returned 4 [0051.258] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0051.258] lstrlenW (lpString=".docx") returned 5 [0051.258] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0051.258] lstrlenW (lpString=".pdf") returned 4 [0051.258] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0051.258] lstrlenW (lpString=".xls") returned 4 [0051.258] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0051.258] lstrlenW (lpString=".xlsx") returned 5 [0051.258] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0051.258] lstrlenW (lpString=".ppt") returned 4 [0051.258] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0051.258] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0051.258] lstrlenW (lpString=".zip") returned 4 [0051.258] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0051.258] lstrlenW (lpString=".rar") returned 4 [0051.258] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0051.258] lstrlenW (lpString=".bz2") returned 4 [0051.258] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0051.258] lstrlenW (lpString=".7z") returned 3 [0051.259] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0051.259] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0051.259] lstrlenW (lpString=".dbf") returned 4 [0051.259] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0051.259] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0051.259] lstrlenW (lpString=".1cd") returned 4 [0051.259] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0051.259] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0051.259] lstrlenW (lpString=".jpg") returned 4 [0051.259] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0051.259] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0051.259] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0051.259] lstrlenW (lpString=".doc") returned 4 [0051.259] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0051.259] lstrlenW (lpString=".docx") returned 5 [0051.259] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0051.259] lstrlenW (lpString=".pdf") returned 4 [0051.259] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0051.259] lstrlenW (lpString=".xls") returned 4 [0051.259] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0051.259] lstrlenW (lpString=".xlsx") returned 5 [0051.259] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0051.259] lstrlenW (lpString=".ppt") returned 4 [0051.259] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0051.259] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0051.260] lstrlenW (lpString=".zip") returned 4 [0051.260] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0051.260] lstrlenW (lpString=".rar") returned 4 [0051.260] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0051.260] lstrlenW (lpString=".bz2") returned 4 [0051.260] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0051.260] lstrlenW (lpString=".7z") returned 3 [0051.260] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0051.260] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0051.260] lstrlenW (lpString=".dbf") returned 4 [0051.260] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0051.260] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0051.260] lstrlenW (lpString=".1cd") returned 4 [0051.260] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0051.260] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0051.260] lstrlenW (lpString=".jpg") returned 4 [0051.260] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0051.260] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0051.260] lstrlenW (lpString="Setup.xml") returned 9 [0051.260] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0051.290] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=6241) returned 1 [0051.291] CloseHandle (hObject=0x188) returned 1 [0051.291] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0051.291] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0051.291] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0051.291] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.291] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.291] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0051.325] GetLastError () returned 0x0 [0051.325] ReadFile (in: hFile=0x188, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x1861, lpOverlapped=0x0) returned 1 [0051.329] WriteFile (in: hFile=0x1ac, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0x1870, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0x1870, lpOverlapped=0x0) returned 1 [0051.331] ReadFile (in: hFile=0x188, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.331] WriteFile (in: hFile=0x1ac, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0051.331] SetEndOfFile (hFile=0x1ac) returned 1 [0051.331] CloseHandle (hObject=0x1ac) returned 1 [0051.332] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.332] SetEndOfFile (hFile=0x188) returned 1 [0051.332] CloseHandle (hObject=0x188) returned 1 [0051.333] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0051.333] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0051.333] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.333] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.333] lstrlenW (lpString=".doc") returned 4 [0051.333] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0051.333] lstrlenW (lpString=".docx") returned 5 [0051.333] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0051.333] lstrlenW (lpString=".pdf") returned 4 [0051.333] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0051.333] lstrlenW (lpString=".xls") returned 4 [0051.333] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0051.333] lstrlenW (lpString=".xlsx") returned 5 [0051.333] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0051.334] lstrlenW (lpString=".ppt") returned 4 [0051.334] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0051.334] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.334] lstrlenW (lpString=".zip") returned 4 [0051.334] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0051.334] lstrlenW (lpString=".rar") returned 4 [0051.334] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0051.334] lstrlenW (lpString=".bz2") returned 4 [0051.334] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0051.334] lstrlenW (lpString=".7z") returned 3 [0051.334] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0051.334] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.334] lstrlenW (lpString=".dbf") returned 4 [0051.334] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0051.334] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.334] lstrlenW (lpString=".1cd") returned 4 [0051.334] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0051.334] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.334] lstrlenW (lpString=".jpg") returned 4 [0051.334] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0051.334] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.334] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.334] lstrlenW (lpString=".doc") returned 4 [0051.334] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0051.334] lstrlenW (lpString=".docx") returned 5 [0051.334] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0051.334] lstrlenW (lpString=".pdf") returned 4 [0051.334] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0051.334] lstrlenW (lpString=".xls") returned 4 [0051.334] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0051.334] lstrlenW (lpString=".xlsx") returned 5 [0051.334] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0051.334] lstrlenW (lpString=".ppt") returned 4 [0051.334] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0051.334] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.335] lstrlenW (lpString=".zip") returned 4 [0051.335] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0051.335] lstrlenW (lpString=".rar") returned 4 [0051.335] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0051.335] lstrlenW (lpString=".bz2") returned 4 [0051.335] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0051.335] lstrlenW (lpString=".7z") returned 3 [0051.335] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0051.335] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.335] lstrlenW (lpString=".dbf") returned 4 [0051.335] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0051.335] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.335] lstrlenW (lpString=".1cd") returned 4 [0051.335] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0051.335] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.335] lstrlenW (lpString=".jpg") returned 4 [0051.335] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0051.335] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0051.335] lstrlenW (lpString="Setup.xml") returned 9 [0051.335] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0051.615] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=1452) returned 1 [0051.615] CloseHandle (hObject=0x190) returned 1 [0051.615] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0051.615] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0051.616] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0051.616] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.616] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.616] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0051.616] GetLastError () returned 0x0 [0051.616] ReadFile (in: hFile=0x190, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x5ac, lpOverlapped=0x0) returned 1 [0051.618] WriteFile (in: hFile=0x198, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0051.619] ReadFile (in: hFile=0x190, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.619] WriteFile (in: hFile=0x198, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0051.619] SetEndOfFile (hFile=0x198) returned 1 [0051.619] CloseHandle (hObject=0x198) returned 1 [0051.621] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.621] SetEndOfFile (hFile=0x190) returned 1 [0051.622] CloseHandle (hObject=0x190) returned 1 [0051.622] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0051.622] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0051.622] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.622] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.622] lstrlenW (lpString=".doc") returned 4 [0051.622] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0051.622] lstrlenW (lpString=".docx") returned 5 [0051.622] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0051.623] lstrlenW (lpString=".pdf") returned 4 [0051.623] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0051.623] lstrlenW (lpString=".xls") returned 4 [0051.623] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0051.623] lstrlenW (lpString=".xlsx") returned 5 [0051.623] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0051.623] lstrlenW (lpString=".ppt") returned 4 [0051.623] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0051.623] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.623] lstrlenW (lpString=".zip") returned 4 [0051.623] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0051.623] lstrlenW (lpString=".rar") returned 4 [0051.623] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0051.623] lstrlenW (lpString=".bz2") returned 4 [0051.623] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0051.623] lstrlenW (lpString=".7z") returned 3 [0051.623] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0051.623] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.623] lstrlenW (lpString=".dbf") returned 4 [0051.623] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0051.623] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.623] lstrlenW (lpString=".1cd") returned 4 [0051.623] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0051.623] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.623] lstrlenW (lpString=".jpg") returned 4 [0051.623] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0051.623] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.623] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.623] lstrlenW (lpString=".doc") returned 4 [0051.623] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0051.623] lstrlenW (lpString=".docx") returned 5 [0051.623] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0051.623] lstrlenW (lpString=".pdf") returned 4 [0051.624] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0051.624] lstrlenW (lpString=".xls") returned 4 [0051.624] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0051.624] lstrlenW (lpString=".xlsx") returned 5 [0051.624] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0051.624] lstrlenW (lpString=".ppt") returned 4 [0051.624] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0051.624] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.624] lstrlenW (lpString=".zip") returned 4 [0051.624] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0051.624] lstrlenW (lpString=".rar") returned 4 [0051.624] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0051.624] lstrlenW (lpString=".bz2") returned 4 [0051.624] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0051.624] lstrlenW (lpString=".7z") returned 3 [0051.624] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0051.624] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.624] lstrlenW (lpString=".dbf") returned 4 [0051.624] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0051.624] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.624] lstrlenW (lpString=".1cd") returned 4 [0051.624] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0051.624] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.624] lstrlenW (lpString=".jpg") returned 4 [0051.624] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0051.624] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0051.624] lstrlenW (lpString="OfficeMUI.xml") returned 13 [0051.624] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0051.709] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=5557) returned 1 [0051.709] CloseHandle (hObject=0x198) returned 1 [0051.709] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml")) returned 0x2020 [0051.709] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0051.709] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0051.709] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.709] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.709] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0051.710] GetLastError () returned 0x0 [0051.710] ReadFile (in: hFile=0x198, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x15b5, lpOverlapped=0x0) returned 1 [0051.712] WriteFile (in: hFile=0x1ec, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0x15c0, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0x15c0, lpOverlapped=0x0) returned 1 [0051.713] ReadFile (in: hFile=0x198, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.713] WriteFile (in: hFile=0x1ec, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0xee, lpOverlapped=0x0) returned 1 [0051.713] SetEndOfFile (hFile=0x1ec) returned 1 [0051.713] CloseHandle (hObject=0x1ec) returned 1 [0051.716] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.716] SetEndOfFile (hFile=0x198) returned 1 [0051.716] CloseHandle (hObject=0x198) returned 1 [0051.716] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0051.717] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml")) returned 1 [0051.717] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0051.717] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0051.717] lstrlenW (lpString=".doc") returned 4 [0051.717] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0051.717] lstrlenW (lpString=".docx") returned 5 [0051.717] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0051.717] lstrlenW (lpString=".pdf") returned 4 [0051.717] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0051.717] lstrlenW (lpString=".xls") returned 4 [0051.717] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0051.717] lstrlenW (lpString=".xlsx") returned 5 [0051.717] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0051.717] lstrlenW (lpString=".ppt") returned 4 [0051.717] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0051.717] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0051.717] lstrlenW (lpString=".zip") returned 4 [0051.717] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0051.717] lstrlenW (lpString=".rar") returned 4 [0051.717] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0051.717] lstrlenW (lpString=".bz2") returned 4 [0051.717] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0051.718] lstrlenW (lpString=".7z") returned 3 [0051.718] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0051.718] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0051.718] lstrlenW (lpString=".dbf") returned 4 [0051.718] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0051.718] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0051.718] lstrlenW (lpString=".1cd") returned 4 [0051.718] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0051.718] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0051.718] lstrlenW (lpString=".jpg") returned 4 [0051.718] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0051.718] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0051.718] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0051.718] lstrlenW (lpString=".doc") returned 4 [0051.718] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0051.718] lstrlenW (lpString=".docx") returned 5 [0051.718] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0051.718] lstrlenW (lpString=".pdf") returned 4 [0051.718] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0051.718] lstrlenW (lpString=".xls") returned 4 [0051.718] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0051.718] lstrlenW (lpString=".xlsx") returned 5 [0051.718] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0051.718] lstrlenW (lpString=".ppt") returned 4 [0051.718] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0051.718] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0051.718] lstrlenW (lpString=".zip") returned 4 [0051.718] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0051.718] lstrlenW (lpString=".rar") returned 4 [0051.718] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0051.718] lstrlenW (lpString=".bz2") returned 4 [0051.718] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0051.718] lstrlenW (lpString=".7z") returned 3 [0051.718] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0051.719] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0051.719] lstrlenW (lpString=".dbf") returned 4 [0051.719] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0051.719] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0051.719] lstrlenW (lpString=".1cd") returned 4 [0051.719] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0051.719] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0051.719] lstrlenW (lpString=".jpg") returned 4 [0051.719] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0051.719] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0051.719] lstrlenW (lpString="OfficeMUISet.xml") returned 16 [0051.719] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0051.719] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=819) returned 1 [0051.719] CloseHandle (hObject=0x198) returned 1 [0051.719] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml")) returned 0x2020 [0051.719] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0051.719] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0051.720] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.720] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.720] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0051.720] GetLastError () returned 0x0 [0051.720] ReadFile (in: hFile=0x198, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x333, lpOverlapped=0x0) returned 1 [0051.722] WriteFile (in: hFile=0x1ec, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0x340, lpOverlapped=0x0) returned 1 [0051.723] ReadFile (in: hFile=0x198, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.723] WriteFile (in: hFile=0x1ec, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0051.723] SetEndOfFile (hFile=0x1ec) returned 1 [0051.723] CloseHandle (hObject=0x1ec) returned 1 [0051.725] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.725] SetEndOfFile (hFile=0x198) returned 1 [0051.726] CloseHandle (hObject=0x198) returned 1 [0051.726] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0051.726] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml")) returned 1 [0051.726] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0051.726] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0051.726] lstrlenW (lpString=".doc") returned 4 [0051.726] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0051.726] lstrlenW (lpString=".docx") returned 5 [0051.726] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0051.726] lstrlenW (lpString=".pdf") returned 4 [0051.726] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0051.726] lstrlenW (lpString=".xls") returned 4 [0051.726] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0051.727] lstrlenW (lpString=".xlsx") returned 5 [0051.727] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0051.727] lstrlenW (lpString=".ppt") returned 4 [0051.727] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0051.727] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0051.727] lstrlenW (lpString=".zip") returned 4 [0051.727] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0051.727] lstrlenW (lpString=".rar") returned 4 [0051.727] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0051.727] lstrlenW (lpString=".bz2") returned 4 [0051.727] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0051.727] lstrlenW (lpString=".7z") returned 3 [0051.727] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0051.727] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0051.727] lstrlenW (lpString=".dbf") returned 4 [0051.727] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0051.727] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0051.727] lstrlenW (lpString=".1cd") returned 4 [0051.727] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0051.727] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0051.727] lstrlenW (lpString=".jpg") returned 4 [0051.727] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0051.727] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0051.727] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0051.727] lstrlenW (lpString=".doc") returned 4 [0051.727] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0051.727] lstrlenW (lpString=".docx") returned 5 [0051.727] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0051.727] lstrlenW (lpString=".pdf") returned 4 [0051.727] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0051.727] lstrlenW (lpString=".xls") returned 4 [0051.727] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0051.727] lstrlenW (lpString=".xlsx") returned 5 [0051.727] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0051.727] lstrlenW (lpString=".ppt") returned 4 [0051.728] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0051.728] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0051.728] lstrlenW (lpString=".zip") returned 4 [0051.728] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0051.728] lstrlenW (lpString=".rar") returned 4 [0051.728] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0051.728] lstrlenW (lpString=".bz2") returned 4 [0051.728] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0051.728] lstrlenW (lpString=".7z") returned 3 [0051.728] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0051.728] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0051.728] lstrlenW (lpString=".dbf") returned 4 [0051.728] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0051.728] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0051.728] lstrlenW (lpString=".1cd") returned 4 [0051.728] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0051.728] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0051.728] lstrlenW (lpString=".jpg") returned 4 [0051.728] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0051.728] lstrcmpiW (lpString1=".chm", lpString2=".bmd") returned 1 [0051.728] lstrlenW (lpString="pss10r.chm") returned 10 [0051.728] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0051.729] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=27195) returned 1 [0051.729] CloseHandle (hObject=0x198) returned 1 [0051.729] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm")) returned 0x2020 [0051.729] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0051.729] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0051.729] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.729] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.730] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0051.730] GetLastError () returned 0x0 [0051.730] ReadFile (in: hFile=0x198, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x6a3b, lpOverlapped=0x0) returned 1 [0051.732] WriteFile (in: hFile=0x1ec, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0x6a40, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0x6a40, lpOverlapped=0x0) returned 1 [0051.733] ReadFile (in: hFile=0x198, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.733] WriteFile (in: hFile=0x1ec, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0051.733] SetEndOfFile (hFile=0x1ec) returned 1 [0051.734] CloseHandle (hObject=0x1ec) returned 1 [0052.163] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.163] SetEndOfFile (hFile=0x198) returned 1 [0052.165] CloseHandle (hObject=0x198) returned 1 [0052.165] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0052.166] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm")) returned 1 [0052.167] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0052.167] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0052.167] lstrlenW (lpString=".doc") returned 4 [0052.167] lstrcmpiW (lpString1=".doc", lpString2=".chm") returned 1 [0052.167] lstrlenW (lpString=".docx") returned 5 [0052.167] lstrcmpiW (lpString1=".docx", lpString2="r.chm") returned -1 [0052.167] lstrlenW (lpString=".pdf") returned 4 [0052.167] lstrcmpiW (lpString1=".pdf", lpString2=".chm") returned 1 [0052.167] lstrlenW (lpString=".xls") returned 4 [0052.167] lstrcmpiW (lpString1=".xls", lpString2=".chm") returned 1 [0052.167] lstrlenW (lpString=".xlsx") returned 5 [0052.167] lstrcmpiW (lpString1=".xlsx", lpString2="r.chm") returned -1 [0052.167] lstrlenW (lpString=".ppt") returned 4 [0052.167] lstrcmpiW (lpString1=".ppt", lpString2=".chm") returned 1 [0052.167] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0052.167] lstrlenW (lpString=".zip") returned 4 [0052.167] lstrcmpiW (lpString1=".zip", lpString2=".chm") returned 1 [0052.167] lstrlenW (lpString=".rar") returned 4 [0052.167] lstrcmpiW (lpString1=".rar", lpString2=".chm") returned 1 [0052.167] lstrlenW (lpString=".bz2") returned 4 [0052.167] lstrcmpiW (lpString1=".bz2", lpString2=".chm") returned -1 [0052.167] lstrlenW (lpString=".7z") returned 3 [0052.167] lstrcmpiW (lpString1=".7z", lpString2="chm") returned -1 [0052.167] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0052.168] lstrlenW (lpString=".dbf") returned 4 [0052.168] lstrcmpiW (lpString1=".dbf", lpString2=".chm") returned 1 [0052.168] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0052.168] lstrlenW (lpString=".1cd") returned 4 [0052.168] lstrcmpiW (lpString1=".1cd", lpString2=".chm") returned -1 [0052.168] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0052.168] lstrlenW (lpString=".jpg") returned 4 [0052.168] lstrcmpiW (lpString1=".jpg", lpString2=".chm") returned 1 [0052.168] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0052.168] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0052.168] lstrlenW (lpString=".doc") returned 4 [0052.168] lstrcmpiW (lpString1=".doc", lpString2=".chm") returned 1 [0052.168] lstrlenW (lpString=".docx") returned 5 [0052.168] lstrcmpiW (lpString1=".docx", lpString2="r.chm") returned -1 [0052.168] lstrlenW (lpString=".pdf") returned 4 [0052.168] lstrcmpiW (lpString1=".pdf", lpString2=".chm") returned 1 [0052.168] lstrlenW (lpString=".xls") returned 4 [0052.168] lstrcmpiW (lpString1=".xls", lpString2=".chm") returned 1 [0052.168] lstrlenW (lpString=".xlsx") returned 5 [0052.168] lstrcmpiW (lpString1=".xlsx", lpString2="r.chm") returned -1 [0052.168] lstrlenW (lpString=".ppt") returned 4 [0052.168] lstrcmpiW (lpString1=".ppt", lpString2=".chm") returned 1 [0052.168] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0052.168] lstrlenW (lpString=".zip") returned 4 [0052.168] lstrcmpiW (lpString1=".zip", lpString2=".chm") returned 1 [0052.168] lstrlenW (lpString=".rar") returned 4 [0052.168] lstrcmpiW (lpString1=".rar", lpString2=".chm") returned 1 [0052.168] lstrlenW (lpString=".bz2") returned 4 [0052.168] lstrcmpiW (lpString1=".bz2", lpString2=".chm") returned -1 [0052.168] lstrlenW (lpString=".7z") returned 3 [0052.168] lstrcmpiW (lpString1=".7z", lpString2="chm") returned -1 [0052.168] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0052.168] lstrlenW (lpString=".dbf") returned 4 [0052.168] lstrcmpiW (lpString1=".dbf", lpString2=".chm") returned 1 [0052.169] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0052.169] lstrlenW (lpString=".1cd") returned 4 [0052.169] lstrcmpiW (lpString1=".1cd", lpString2=".chm") returned -1 [0052.169] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0052.169] lstrlenW (lpString=".jpg") returned 4 [0052.169] lstrcmpiW (lpString1=".jpg", lpString2=".chm") returned 1 [0052.169] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0052.169] lstrlenW (lpString="Setup.xml") returned 9 [0052.169] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0052.170] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=2624) returned 1 [0052.170] CloseHandle (hObject=0x198) returned 1 [0052.170] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0052.170] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0052.170] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0052.170] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.170] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.171] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0052.171] GetLastError () returned 0x0 [0052.171] ReadFile (in: hFile=0x198, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0xa40, lpOverlapped=0x0) returned 1 [0052.175] WriteFile (in: hFile=0x1ec, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0xa50, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0xa50, lpOverlapped=0x0) returned 1 [0052.177] ReadFile (in: hFile=0x198, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.177] WriteFile (in: hFile=0x1ec, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0052.177] SetEndOfFile (hFile=0x1ec) returned 1 [0052.177] CloseHandle (hObject=0x1ec) returned 1 [0052.184] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.184] SetEndOfFile (hFile=0x198) returned 1 [0052.185] CloseHandle (hObject=0x198) returned 1 [0052.185] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0052.186] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0052.186] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.186] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.186] lstrlenW (lpString=".doc") returned 4 [0052.186] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0052.186] lstrlenW (lpString=".docx") returned 5 [0052.186] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0052.186] lstrlenW (lpString=".pdf") returned 4 [0052.186] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0052.186] lstrlenW (lpString=".xls") returned 4 [0052.186] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0052.186] lstrlenW (lpString=".xlsx") returned 5 [0052.186] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0052.186] lstrlenW (lpString=".ppt") returned 4 [0052.186] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0052.186] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.186] lstrlenW (lpString=".zip") returned 4 [0052.186] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0052.186] lstrlenW (lpString=".rar") returned 4 [0052.186] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0052.186] lstrlenW (lpString=".bz2") returned 4 [0052.186] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0052.186] lstrlenW (lpString=".7z") returned 3 [0052.186] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0052.186] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.186] lstrlenW (lpString=".dbf") returned 4 [0052.186] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0052.187] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.187] lstrlenW (lpString=".1cd") returned 4 [0052.187] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0052.187] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.187] lstrlenW (lpString=".jpg") returned 4 [0052.187] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0052.187] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.187] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.187] lstrlenW (lpString=".doc") returned 4 [0052.187] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0052.187] lstrlenW (lpString=".docx") returned 5 [0052.187] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0052.187] lstrlenW (lpString=".pdf") returned 4 [0052.187] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0052.187] lstrlenW (lpString=".xls") returned 4 [0052.187] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0052.187] lstrlenW (lpString=".xlsx") returned 5 [0052.187] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0052.187] lstrlenW (lpString=".ppt") returned 4 [0052.187] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0052.187] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.187] lstrlenW (lpString=".zip") returned 4 [0052.187] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0052.187] lstrlenW (lpString=".rar") returned 4 [0052.187] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0052.187] lstrlenW (lpString=".bz2") returned 4 [0052.187] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0052.188] lstrlenW (lpString=".7z") returned 3 [0052.188] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0052.188] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.188] lstrlenW (lpString=".dbf") returned 4 [0052.188] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0052.188] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.188] lstrlenW (lpString=".1cd") returned 4 [0052.188] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0052.188] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.188] lstrlenW (lpString=".jpg") returned 4 [0052.188] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0052.188] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0052.188] lstrlenW (lpString="Office32WW.xml") returned 14 [0052.188] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0052.190] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=4274) returned 1 [0052.190] CloseHandle (hObject=0x198) returned 1 [0052.190] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 0x2020 [0052.190] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0052.190] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0052.190] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.190] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.191] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0052.191] GetLastError () returned 0x0 [0052.191] ReadFile (in: hFile=0x198, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x10b2, lpOverlapped=0x0) returned 1 [0052.193] WriteFile (in: hFile=0x1ec, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0x10c0, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0x10c0, lpOverlapped=0x0) returned 1 [0052.194] ReadFile (in: hFile=0x198, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.194] WriteFile (in: hFile=0x1ec, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0052.194] SetEndOfFile (hFile=0x1ec) returned 1 [0052.194] CloseHandle (hObject=0x1ec) returned 1 [0052.195] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.195] SetEndOfFile (hFile=0x198) returned 1 [0052.196] CloseHandle (hObject=0x198) returned 1 [0052.196] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0052.196] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 1 [0052.197] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0052.197] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0052.197] lstrlenW (lpString=".doc") returned 4 [0052.197] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0052.197] lstrlenW (lpString=".docx") returned 5 [0052.197] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0052.197] lstrlenW (lpString=".pdf") returned 4 [0052.197] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0052.197] lstrlenW (lpString=".xls") returned 4 [0052.197] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0052.197] lstrlenW (lpString=".xlsx") returned 5 [0052.197] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0052.197] lstrlenW (lpString=".ppt") returned 4 [0052.197] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0052.197] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0052.197] lstrlenW (lpString=".zip") returned 4 [0052.197] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0052.197] lstrlenW (lpString=".rar") returned 4 [0052.197] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0052.197] lstrlenW (lpString=".bz2") returned 4 [0052.197] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0052.197] lstrlenW (lpString=".7z") returned 3 [0052.197] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0052.197] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0052.197] lstrlenW (lpString=".dbf") returned 4 [0052.197] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0052.197] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0052.197] lstrlenW (lpString=".1cd") returned 4 [0052.197] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0052.197] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0052.198] lstrlenW (lpString=".jpg") returned 4 [0052.198] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0052.198] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0052.198] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0052.198] lstrlenW (lpString=".doc") returned 4 [0052.198] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0052.198] lstrlenW (lpString=".docx") returned 5 [0052.198] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0052.198] lstrlenW (lpString=".pdf") returned 4 [0052.198] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0052.198] lstrlenW (lpString=".xls") returned 4 [0052.198] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0052.198] lstrlenW (lpString=".xlsx") returned 5 [0052.198] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0052.198] lstrlenW (lpString=".ppt") returned 4 [0052.198] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0052.198] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0052.198] lstrlenW (lpString=".zip") returned 4 [0052.198] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0052.198] lstrlenW (lpString=".rar") returned 4 [0052.198] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0052.198] lstrlenW (lpString=".bz2") returned 4 [0052.198] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0052.198] lstrlenW (lpString=".7z") returned 3 [0052.198] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0052.198] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0052.198] lstrlenW (lpString=".dbf") returned 4 [0052.198] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0052.198] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0052.198] lstrlenW (lpString=".1cd") returned 4 [0052.198] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0052.198] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0052.198] lstrlenW (lpString=".jpg") returned 4 [0052.199] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0052.199] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0052.199] lstrlenW (lpString="ProPlusrWW.xml") returned 14 [0052.199] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0052.616] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=16852) returned 1 [0052.631] CloseHandle (hObject=0x1ec) returned 1 [0052.631] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml")) returned 0x2020 [0052.632] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0052.632] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0052.632] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.644] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.644] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0052.666] GetLastError () returned 0x0 [0052.666] ReadFile (in: hFile=0x1ec, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x41d4, lpOverlapped=0x0) returned 1 [0052.668] WriteFile (in: hFile=0x1f4, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0x41e0, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0x41e0, lpOverlapped=0x0) returned 1 [0052.670] ReadFile (in: hFile=0x1ec, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.670] WriteFile (in: hFile=0x1f4, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0052.670] SetEndOfFile (hFile=0x1f4) returned 1 [0052.670] CloseHandle (hObject=0x1f4) returned 1 [0052.671] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.671] SetEndOfFile (hFile=0x1ec) returned 1 [0052.673] CloseHandle (hObject=0x1ec) returned 1 [0052.673] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0052.673] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml")) returned 1 [0052.673] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0052.673] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0052.673] lstrlenW (lpString=".doc") returned 4 [0052.673] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0052.673] lstrlenW (lpString=".docx") returned 5 [0052.673] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0052.674] lstrlenW (lpString=".pdf") returned 4 [0052.674] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0052.674] lstrlenW (lpString=".xls") returned 4 [0052.674] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0052.674] lstrlenW (lpString=".xlsx") returned 5 [0052.674] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0052.674] lstrlenW (lpString=".ppt") returned 4 [0052.674] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0052.674] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0052.674] lstrlenW (lpString=".zip") returned 4 [0052.674] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0052.674] lstrlenW (lpString=".rar") returned 4 [0052.674] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0052.674] lstrlenW (lpString=".bz2") returned 4 [0052.674] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0052.674] lstrlenW (lpString=".7z") returned 3 [0052.674] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0052.674] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0052.674] lstrlenW (lpString=".dbf") returned 4 [0052.674] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0052.674] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0052.674] lstrlenW (lpString=".1cd") returned 4 [0052.674] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0052.674] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0052.674] lstrlenW (lpString=".jpg") returned 4 [0052.674] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0052.674] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0052.674] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0052.674] lstrlenW (lpString=".doc") returned 4 [0052.675] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0052.675] lstrlenW (lpString=".docx") returned 5 [0052.675] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0052.675] lstrlenW (lpString=".pdf") returned 4 [0052.675] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0052.675] lstrlenW (lpString=".xls") returned 4 [0052.675] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0052.675] lstrlenW (lpString=".xlsx") returned 5 [0052.675] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0052.675] lstrlenW (lpString=".ppt") returned 4 [0052.675] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0052.675] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0052.675] lstrlenW (lpString=".zip") returned 4 [0052.675] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0052.675] lstrlenW (lpString=".rar") returned 4 [0052.675] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0052.675] lstrlenW (lpString=".bz2") returned 4 [0052.675] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0052.675] lstrlenW (lpString=".7z") returned 3 [0052.675] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0052.675] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0052.675] lstrlenW (lpString=".dbf") returned 4 [0052.675] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0052.675] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0052.675] lstrlenW (lpString=".1cd") returned 4 [0052.675] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0052.676] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0052.676] lstrlenW (lpString=".jpg") returned 4 [0052.676] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0052.676] lstrcmpiW (lpString1=".GIF", lpString2=".bmd") returned 1 [0052.676] lstrlenW (lpString="MS.GIF") returned 6 [0052.676] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0056.093] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=1069) returned 1 [0056.093] CloseHandle (hObject=0x1d0) returned 1 [0056.093] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif")) returned 0x20 [0056.093] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0056.093] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0056.093] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.094] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.094] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0056.094] GetLastError () returned 0x0 [0056.094] ReadFile (in: hFile=0x1d0, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x42d, lpOverlapped=0x0) returned 1 [0057.762] WriteFile (in: hFile=0x1a8, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0x430, lpOverlapped=0x0) returned 1 [0057.845] ReadFile (in: hFile=0x1d0, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x0, lpOverlapped=0x0) returned 1 [0057.845] WriteFile (in: hFile=0x1a8, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0xe0, lpOverlapped=0x0) returned 1 [0057.845] SetEndOfFile (hFile=0x1a8) returned 1 [0057.845] CloseHandle (hObject=0x1a8) returned 1 [0057.846] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.846] SetEndOfFile (hFile=0x1d0) returned 1 [0057.847] CloseHandle (hObject=0x1d0) returned 1 [0057.847] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0057.848] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif")) returned 1 [0057.848] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0057.848] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0057.848] lstrlenW (lpString=".doc") returned 4 [0057.848] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0057.848] lstrlenW (lpString=".docx") returned 5 [0057.848] lstrcmpiW (lpString1=".docx", lpString2="S.GIF") returned -1 [0057.848] lstrlenW (lpString=".pdf") returned 4 [0057.848] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0057.848] lstrlenW (lpString=".xls") returned 4 [0057.848] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0057.848] lstrlenW (lpString=".xlsx") returned 5 [0057.848] lstrcmpiW (lpString1=".xlsx", lpString2="S.GIF") returned -1 [0057.848] lstrlenW (lpString=".ppt") returned 4 [0057.848] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0057.849] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0057.849] lstrlenW (lpString=".zip") returned 4 [0057.849] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0057.849] lstrlenW (lpString=".rar") returned 4 [0057.849] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0057.849] lstrlenW (lpString=".bz2") returned 4 [0057.849] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0057.849] lstrlenW (lpString=".7z") returned 3 [0057.849] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0057.849] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0057.849] lstrlenW (lpString=".dbf") returned 4 [0057.849] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0057.849] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0057.849] lstrlenW (lpString=".1cd") returned 4 [0057.849] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0057.849] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0057.849] lstrlenW (lpString=".jpg") returned 4 [0057.849] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0057.849] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0057.849] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0057.849] lstrlenW (lpString=".doc") returned 4 [0057.849] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0057.849] lstrlenW (lpString=".docx") returned 5 [0057.849] lstrcmpiW (lpString1=".docx", lpString2="S.GIF") returned -1 [0057.849] lstrlenW (lpString=".pdf") returned 4 [0057.850] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0057.850] lstrlenW (lpString=".xls") returned 4 [0057.850] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0057.850] lstrlenW (lpString=".xlsx") returned 5 [0057.850] lstrcmpiW (lpString1=".xlsx", lpString2="S.GIF") returned -1 [0057.850] lstrlenW (lpString=".ppt") returned 4 [0057.850] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0057.850] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0057.850] lstrlenW (lpString=".zip") returned 4 [0057.850] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0057.850] lstrlenW (lpString=".rar") returned 4 [0057.850] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0057.850] lstrlenW (lpString=".bz2") returned 4 [0057.850] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0057.850] lstrlenW (lpString=".7z") returned 3 [0057.850] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0057.850] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0057.850] lstrlenW (lpString=".dbf") returned 4 [0057.850] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0057.850] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0057.850] lstrlenW (lpString=".1cd") returned 4 [0057.850] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0057.850] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0057.850] lstrlenW (lpString=".jpg") returned 4 [0057.850] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0057.851] lstrcmpiW (lpString1=".avi", lpString2=".bmd") returned -1 [0057.851] lstrlenW (lpString="boxed-join.avi") returned 14 [0057.851] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0058.257] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=33280) returned 1 [0058.257] CloseHandle (hObject=0x1f4) returned 1 [0058.257] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi")) returned 0x20 [0058.257] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0058.257] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0058.258] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0058.258] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0058.258] lstrlenW (lpString=".doc") returned 4 [0058.258] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0058.258] lstrlenW (lpString=".docx") returned 5 [0058.258] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0058.258] lstrlenW (lpString=".pdf") returned 4 [0058.258] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0058.258] lstrlenW (lpString=".xls") returned 4 [0058.258] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0058.258] lstrlenW (lpString=".xlsx") returned 5 [0058.258] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0058.258] lstrlenW (lpString=".ppt") returned 4 [0058.258] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0058.258] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0058.258] lstrlenW (lpString=".zip") returned 4 [0058.258] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0058.258] lstrlenW (lpString=".rar") returned 4 [0058.258] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0058.258] lstrlenW (lpString=".bz2") returned 4 [0058.258] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0058.258] lstrlenW (lpString=".7z") returned 3 [0058.258] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0058.258] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0058.258] lstrlenW (lpString=".dbf") returned 4 [0058.258] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0058.258] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0058.258] lstrlenW (lpString=".1cd") returned 4 [0058.258] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0058.258] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0058.258] lstrlenW (lpString=".jpg") returned 4 [0058.258] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0058.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0058.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0058.259] lstrlenW (lpString=".doc") returned 4 [0058.259] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0058.259] lstrlenW (lpString=".docx") returned 5 [0058.259] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0058.259] lstrlenW (lpString=".pdf") returned 4 [0058.259] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0058.259] lstrlenW (lpString=".xls") returned 4 [0058.259] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0058.259] lstrlenW (lpString=".xlsx") returned 5 [0058.259] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0058.259] lstrlenW (lpString=".ppt") returned 4 [0058.259] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0058.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0058.259] lstrlenW (lpString=".zip") returned 4 [0058.259] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0058.259] lstrlenW (lpString=".rar") returned 4 [0058.259] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0058.259] lstrlenW (lpString=".bz2") returned 4 [0058.259] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0058.259] lstrlenW (lpString=".7z") returned 3 [0058.259] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0058.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0058.259] lstrlenW (lpString=".dbf") returned 4 [0058.259] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0058.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0058.259] lstrlenW (lpString=".1cd") returned 4 [0058.259] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0058.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0058.260] lstrlenW (lpString=".jpg") returned 4 [0058.260] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0058.260] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0058.260] lstrlenW (lpString="keypadbase.xml") returned 14 [0058.260] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0058.653] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=1118) returned 1 [0058.654] CloseHandle (hObject=0x20c) returned 1 [0058.654] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml")) returned 0x20 [0058.654] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0058.654] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0058.654] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0058.654] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0058.654] lstrlenW (lpString=".doc") returned 4 [0058.654] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.654] lstrlenW (lpString=".docx") returned 5 [0058.654] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0058.654] lstrlenW (lpString=".pdf") returned 4 [0058.654] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.654] lstrlenW (lpString=".xls") returned 4 [0058.654] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.654] lstrlenW (lpString=".xlsx") returned 5 [0058.654] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0058.654] lstrlenW (lpString=".ppt") returned 4 [0058.654] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.654] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0058.654] lstrlenW (lpString=".zip") returned 4 [0058.654] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.655] lstrlenW (lpString=".rar") returned 4 [0058.655] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.655] lstrlenW (lpString=".bz2") returned 4 [0058.655] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.655] lstrlenW (lpString=".7z") returned 3 [0058.655] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.655] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0058.655] lstrlenW (lpString=".dbf") returned 4 [0058.655] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.655] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0058.655] lstrlenW (lpString=".1cd") returned 4 [0058.655] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.655] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0058.655] lstrlenW (lpString=".jpg") returned 4 [0058.655] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.655] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0058.655] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0058.655] lstrlenW (lpString=".doc") returned 4 [0058.655] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.655] lstrlenW (lpString=".docx") returned 5 [0058.655] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0058.655] lstrlenW (lpString=".pdf") returned 4 [0058.655] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.655] lstrlenW (lpString=".xls") returned 4 [0058.655] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.655] lstrlenW (lpString=".xlsx") returned 5 [0058.655] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0058.655] lstrlenW (lpString=".ppt") returned 4 [0058.655] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.655] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0058.655] lstrlenW (lpString=".zip") returned 4 [0058.656] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.656] lstrlenW (lpString=".rar") returned 4 [0058.656] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.656] lstrlenW (lpString=".bz2") returned 4 [0058.656] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.656] lstrlenW (lpString=".7z") returned 3 [0058.656] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.656] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0058.656] lstrlenW (lpString=".dbf") returned 4 [0058.656] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.656] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0058.656] lstrlenW (lpString=".1cd") returned 4 [0058.656] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.656] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0058.656] lstrlenW (lpString=".jpg") returned 4 [0058.656] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.656] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0058.656] lstrlenW (lpString="base.xml") returned 8 [0058.656] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0058.658] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=3150) returned 1 [0058.658] CloseHandle (hObject=0x1d0) returned 1 [0058.658] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml")) returned 0x20 [0058.658] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0058.658] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0058.658] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0058.658] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0058.659] lstrlenW (lpString=".doc") returned 4 [0058.659] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.659] lstrlenW (lpString=".docx") returned 5 [0058.659] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0058.659] lstrlenW (lpString=".pdf") returned 4 [0058.659] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.659] lstrlenW (lpString=".xls") returned 4 [0058.659] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.659] lstrlenW (lpString=".xlsx") returned 5 [0058.659] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0058.659] lstrlenW (lpString=".ppt") returned 4 [0058.659] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.659] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0058.659] lstrlenW (lpString=".zip") returned 4 [0058.659] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.659] lstrlenW (lpString=".rar") returned 4 [0058.659] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.659] lstrlenW (lpString=".bz2") returned 4 [0058.659] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.659] lstrlenW (lpString=".7z") returned 3 [0058.659] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.659] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0058.659] lstrlenW (lpString=".dbf") returned 4 [0058.659] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.659] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0058.659] lstrlenW (lpString=".1cd") returned 4 [0058.659] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.659] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0058.659] lstrlenW (lpString=".jpg") returned 4 [0058.659] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.659] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0058.659] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0058.660] lstrlenW (lpString=".doc") returned 4 [0058.660] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.660] lstrlenW (lpString=".docx") returned 5 [0058.660] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0058.660] lstrlenW (lpString=".pdf") returned 4 [0058.660] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.660] lstrlenW (lpString=".xls") returned 4 [0058.660] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.660] lstrlenW (lpString=".xlsx") returned 5 [0058.660] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0058.660] lstrlenW (lpString=".ppt") returned 4 [0058.660] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.660] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0058.660] lstrlenW (lpString=".zip") returned 4 [0058.660] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.660] lstrlenW (lpString=".rar") returned 4 [0058.660] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.660] lstrlenW (lpString=".bz2") returned 4 [0058.660] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.660] lstrlenW (lpString=".7z") returned 3 [0058.660] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.660] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0058.660] lstrlenW (lpString=".dbf") returned 4 [0058.660] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.660] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0058.660] lstrlenW (lpString=".1cd") returned 4 [0058.660] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.660] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0058.660] lstrlenW (lpString=".jpg") returned 4 [0058.660] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.661] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0058.661] lstrlenW (lpString="baseAltGr_rtl.xml") returned 17 [0058.661] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0058.661] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=247) returned 1 [0058.661] CloseHandle (hObject=0x1d0) returned 1 [0058.661] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml")) returned 0x20 [0058.661] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0058.661] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0058.661] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0058.661] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0058.661] lstrlenW (lpString=".doc") returned 4 [0058.661] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.661] lstrlenW (lpString=".docx") returned 5 [0058.662] lstrcmpiW (lpString1=".docx", lpString2="l.xml") returned -1 [0058.662] lstrlenW (lpString=".pdf") returned 4 [0058.662] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.662] lstrlenW (lpString=".xls") returned 4 [0058.662] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.662] lstrlenW (lpString=".xlsx") returned 5 [0058.662] lstrcmpiW (lpString1=".xlsx", lpString2="l.xml") returned -1 [0058.662] lstrlenW (lpString=".ppt") returned 4 [0058.662] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.662] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0058.662] lstrlenW (lpString=".zip") returned 4 [0058.662] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.662] lstrlenW (lpString=".rar") returned 4 [0058.662] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.662] lstrlenW (lpString=".bz2") returned 4 [0058.662] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.662] lstrlenW (lpString=".7z") returned 3 [0058.662] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.662] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0058.662] lstrlenW (lpString=".dbf") returned 4 [0058.662] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.662] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0058.662] lstrlenW (lpString=".1cd") returned 4 [0058.662] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.662] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0058.662] lstrlenW (lpString=".jpg") returned 4 [0058.662] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.662] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0058.662] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0058.663] lstrlenW (lpString=".doc") returned 4 [0058.663] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.663] lstrlenW (lpString=".docx") returned 5 [0058.663] lstrcmpiW (lpString1=".docx", lpString2="l.xml") returned -1 [0058.663] lstrlenW (lpString=".pdf") returned 4 [0058.663] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.663] lstrlenW (lpString=".xls") returned 4 [0058.663] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.663] lstrlenW (lpString=".xlsx") returned 5 [0058.663] lstrcmpiW (lpString1=".xlsx", lpString2="l.xml") returned -1 [0058.663] lstrlenW (lpString=".ppt") returned 4 [0058.663] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.663] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0058.663] lstrlenW (lpString=".zip") returned 4 [0058.663] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.663] lstrlenW (lpString=".rar") returned 4 [0058.663] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.663] lstrlenW (lpString=".bz2") returned 4 [0058.663] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.663] lstrlenW (lpString=".7z") returned 3 [0058.663] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.663] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0058.663] lstrlenW (lpString=".dbf") returned 4 [0058.663] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.663] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0058.663] lstrlenW (lpString=".1cd") returned 4 [0058.663] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.663] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0058.663] lstrlenW (lpString=".jpg") returned 4 [0058.663] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.664] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0058.664] lstrlenW (lpString="base_altgr.xml") returned 14 [0058.664] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0058.665] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=3161) returned 1 [0058.665] CloseHandle (hObject=0x1d0) returned 1 [0058.665] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml")) returned 0x20 [0058.665] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0058.665] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0058.665] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0058.665] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0058.665] lstrlenW (lpString=".doc") returned 4 [0058.665] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.665] lstrlenW (lpString=".docx") returned 5 [0058.665] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0058.665] lstrlenW (lpString=".pdf") returned 4 [0058.665] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.665] lstrlenW (lpString=".xls") returned 4 [0058.665] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.665] lstrlenW (lpString=".xlsx") returned 5 [0058.665] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0058.665] lstrlenW (lpString=".ppt") returned 4 [0058.665] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.665] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0058.666] lstrlenW (lpString=".zip") returned 4 [0058.666] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.666] lstrlenW (lpString=".rar") returned 4 [0058.666] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.666] lstrlenW (lpString=".bz2") returned 4 [0058.666] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.666] lstrlenW (lpString=".7z") returned 3 [0058.666] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.666] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0058.666] lstrlenW (lpString=".dbf") returned 4 [0058.666] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.666] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0058.666] lstrlenW (lpString=".1cd") returned 4 [0058.666] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.666] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0058.666] lstrlenW (lpString=".jpg") returned 4 [0058.666] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.666] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0058.666] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0058.666] lstrlenW (lpString=".doc") returned 4 [0058.666] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.666] lstrlenW (lpString=".docx") returned 5 [0058.666] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0058.666] lstrlenW (lpString=".pdf") returned 4 [0058.666] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.667] lstrlenW (lpString=".xls") returned 4 [0058.667] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.667] lstrlenW (lpString=".xlsx") returned 5 [0058.667] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0058.667] lstrlenW (lpString=".ppt") returned 4 [0058.667] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.667] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0058.667] lstrlenW (lpString=".zip") returned 4 [0058.667] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.667] lstrlenW (lpString=".rar") returned 4 [0058.667] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.667] lstrlenW (lpString=".bz2") returned 4 [0058.667] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.667] lstrlenW (lpString=".7z") returned 3 [0058.667] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.667] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0058.667] lstrlenW (lpString=".dbf") returned 4 [0058.667] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.667] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0058.667] lstrlenW (lpString=".1cd") returned 4 [0058.667] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.667] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0058.667] lstrlenW (lpString=".jpg") returned 4 [0058.667] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.668] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0058.668] lstrlenW (lpString="base_ca.xml") returned 11 [0058.668] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0058.668] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=3166) returned 1 [0058.668] CloseHandle (hObject=0x1d0) returned 1 [0058.668] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml")) returned 0x20 [0058.668] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0058.668] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0058.668] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0058.669] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0058.669] lstrlenW (lpString=".doc") returned 4 [0058.669] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.669] lstrlenW (lpString=".docx") returned 5 [0058.669] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0058.669] lstrlenW (lpString=".pdf") returned 4 [0058.669] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.669] lstrlenW (lpString=".xls") returned 4 [0058.669] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.669] lstrlenW (lpString=".xlsx") returned 5 [0058.669] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0058.669] lstrlenW (lpString=".ppt") returned 4 [0058.669] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.669] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0058.669] lstrlenW (lpString=".zip") returned 4 [0058.669] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.669] lstrlenW (lpString=".rar") returned 4 [0058.669] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.669] lstrlenW (lpString=".bz2") returned 4 [0058.669] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.669] lstrlenW (lpString=".7z") returned 3 [0058.669] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.669] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0058.669] lstrlenW (lpString=".dbf") returned 4 [0058.670] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.150] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.158] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.158] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0059.159] GetLastError () returned 0x0 [0059.159] ReadFile (in: hFile=0x1a8, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x333, lpOverlapped=0x0) returned 1 [0059.281] WriteFile (in: hFile=0x208, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0x340, lpOverlapped=0x0) returned 1 [0059.282] ReadFile (in: hFile=0x1a8, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x0, lpOverlapped=0x0) returned 1 [0059.282] WriteFile (in: hFile=0x208, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0059.283] SetEndOfFile (hFile=0x208) returned 1 [0059.283] CloseHandle (hObject=0x208) returned 1 [0059.286] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.286] SetEndOfFile (hFile=0x1a8) returned 1 [0059.287] CloseHandle (hObject=0x1a8) returned 1 [0059.287] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0059.287] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml")) returned 1 [0059.288] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0059.288] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0059.288] lstrlenW (lpString=".doc") returned 4 [0059.288] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0059.288] lstrlenW (lpString=".docx") returned 5 [0059.288] lstrcmpiW (lpString1=".docx", lpString2="t.XML") returned -1 [0059.288] lstrlenW (lpString=".pdf") returned 4 [0059.288] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0059.288] lstrlenW (lpString=".xls") returned 4 [0059.288] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0059.288] lstrlenW (lpString=".xlsx") returned 5 [0059.288] lstrcmpiW (lpString1=".xlsx", lpString2="t.XML") returned -1 [0059.288] lstrlenW (lpString=".ppt") returned 4 [0059.288] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0059.288] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0059.288] lstrlenW (lpString=".zip") returned 4 [0059.288] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0059.288] lstrlenW (lpString=".rar") returned 4 [0059.288] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0059.288] lstrlenW (lpString=".bz2") returned 4 [0059.288] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0059.288] lstrlenW (lpString=".7z") returned 3 [0059.288] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0059.288] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0059.288] lstrlenW (lpString=".dbf") returned 4 [0059.288] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0059.288] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0059.288] lstrlenW (lpString=".1cd") returned 4 [0059.288] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0059.289] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0059.289] lstrlenW (lpString=".jpg") returned 4 [0059.289] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0059.289] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0059.289] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0059.289] lstrlenW (lpString=".doc") returned 4 [0059.289] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0059.289] lstrlenW (lpString=".docx") returned 5 [0059.289] lstrcmpiW (lpString1=".docx", lpString2="t.XML") returned -1 [0059.289] lstrlenW (lpString=".pdf") returned 4 [0059.289] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0059.289] lstrlenW (lpString=".xls") returned 4 [0059.289] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0059.289] lstrlenW (lpString=".xlsx") returned 5 [0059.289] lstrcmpiW (lpString1=".xlsx", lpString2="t.XML") returned -1 [0059.289] lstrlenW (lpString=".ppt") returned 4 [0059.289] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0059.289] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0059.289] lstrlenW (lpString=".zip") returned 4 [0059.289] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0059.289] lstrlenW (lpString=".rar") returned 4 [0059.289] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0059.289] lstrlenW (lpString=".bz2") returned 4 [0059.290] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0059.290] lstrlenW (lpString=".7z") returned 3 [0059.290] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0059.290] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0059.290] lstrlenW (lpString=".dbf") returned 4 [0059.290] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0059.290] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0059.290] lstrlenW (lpString=".1cd") returned 4 [0059.290] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0059.290] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0059.290] lstrlenW (lpString=".jpg") returned 4 [0059.290] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0059.516] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0059.516] lstrlenW (lpString="GrooveMUI.XML") returned 13 [0059.516] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0059.782] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=913) returned 1 [0059.782] CloseHandle (hObject=0x1b8) returned 1 [0059.782] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml")) returned 0x20 [0059.782] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0059.782] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0059.782] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.782] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.782] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0060.725] GetLastError () returned 0x0 [0060.725] ReadFile (in: hFile=0x1b8, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x391, lpOverlapped=0x0) returned 1 [0060.764] WriteFile (in: hFile=0x1d0, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0x3a0, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0x3a0, lpOverlapped=0x0) returned 1 [0060.765] ReadFile (in: hFile=0x1b8, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x0, lpOverlapped=0x0) returned 1 [0060.765] WriteFile (in: hFile=0x1d0, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0xee, lpOverlapped=0x0) returned 1 [0060.766] SetEndOfFile (hFile=0x1d0) returned 1 [0060.766] CloseHandle (hObject=0x1d0) returned 1 [0060.767] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.767] SetEndOfFile (hFile=0x1b8) returned 1 [0060.767] CloseHandle (hObject=0x1b8) returned 1 [0060.768] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0060.768] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml")) returned 1 [0060.768] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0060.768] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0060.768] lstrlenW (lpString=".doc") returned 4 [0060.768] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0060.768] lstrlenW (lpString=".docx") returned 5 [0060.768] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0060.768] lstrlenW (lpString=".pdf") returned 4 [0060.768] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0060.768] lstrlenW (lpString=".xls") returned 4 [0060.768] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0060.768] lstrlenW (lpString=".xlsx") returned 5 [0060.768] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0060.768] lstrlenW (lpString=".ppt") returned 4 [0060.768] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0060.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0060.769] lstrlenW (lpString=".zip") returned 4 [0060.769] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0060.769] lstrlenW (lpString=".rar") returned 4 [0060.769] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0060.769] lstrlenW (lpString=".bz2") returned 4 [0060.769] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0060.769] lstrlenW (lpString=".7z") returned 3 [0060.769] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0060.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0060.769] lstrlenW (lpString=".dbf") returned 4 [0060.769] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0060.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0060.769] lstrlenW (lpString=".1cd") returned 4 [0060.769] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0060.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0060.769] lstrlenW (lpString=".jpg") returned 4 [0060.769] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0060.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0060.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0060.769] lstrlenW (lpString=".doc") returned 4 [0060.769] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0060.769] lstrlenW (lpString=".docx") returned 5 [0060.769] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0060.769] lstrlenW (lpString=".pdf") returned 4 [0060.769] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0060.769] lstrlenW (lpString=".xls") returned 4 [0060.769] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0060.769] lstrlenW (lpString=".xlsx") returned 5 [0060.769] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0060.769] lstrlenW (lpString=".ppt") returned 4 [0060.769] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0060.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0060.770] lstrlenW (lpString=".zip") returned 4 [0060.770] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0060.770] lstrlenW (lpString=".rar") returned 4 [0060.770] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0060.770] lstrlenW (lpString=".bz2") returned 4 [0060.770] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0060.770] lstrlenW (lpString=".7z") returned 3 [0060.770] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0060.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0060.770] lstrlenW (lpString=".dbf") returned 4 [0060.770] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0060.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0060.770] lstrlenW (lpString=".1cd") returned 4 [0060.770] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0060.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0060.770] lstrlenW (lpString=".jpg") returned 4 [0060.770] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0060.880] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0060.880] lstrlenW (lpString="OfficeMUISet.XML") returned 16 [0060.880] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0061.504] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=819) returned 1 [0061.504] CloseHandle (hObject=0x1ac) returned 1 [0061.504] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml")) returned 0x20 [0061.504] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0061.504] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0061.504] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0061.504] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0061.504] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0061.505] GetLastError () returned 0x0 [0061.505] ReadFile (in: hFile=0x1ac, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x333, lpOverlapped=0x0) returned 1 [0062.091] WriteFile (in: hFile=0x1ec, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0x340, lpOverlapped=0x0) returned 1 [0062.093] ReadFile (in: hFile=0x1ac, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x0, lpOverlapped=0x0) returned 1 [0062.093] WriteFile (in: hFile=0x1ec, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0062.093] SetEndOfFile (hFile=0x1ec) returned 1 [0062.093] CloseHandle (hObject=0x1ec) returned 1 [0062.094] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0062.094] SetEndOfFile (hFile=0x1ac) returned 1 [0062.095] CloseHandle (hObject=0x1ac) returned 1 [0062.095] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0062.096] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml")) returned 1 [0062.100] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0062.100] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0062.100] lstrlenW (lpString=".doc") returned 4 [0062.100] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0062.100] lstrlenW (lpString=".docx") returned 5 [0062.100] lstrcmpiW (lpString1=".docx", lpString2="t.XML") returned -1 [0062.100] lstrlenW (lpString=".pdf") returned 4 [0062.100] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0062.100] lstrlenW (lpString=".xls") returned 4 [0062.100] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0062.101] lstrlenW (lpString=".xlsx") returned 5 [0062.101] lstrcmpiW (lpString1=".xlsx", lpString2="t.XML") returned -1 [0062.101] lstrlenW (lpString=".ppt") returned 4 [0062.101] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0062.101] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0062.101] lstrlenW (lpString=".zip") returned 4 [0062.101] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0062.101] lstrlenW (lpString=".rar") returned 4 [0062.101] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0062.101] lstrlenW (lpString=".bz2") returned 4 [0062.101] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0062.101] lstrlenW (lpString=".7z") returned 3 [0062.101] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0062.101] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0062.101] lstrlenW (lpString=".dbf") returned 4 [0062.101] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0062.101] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0062.101] lstrlenW (lpString=".1cd") returned 4 [0062.101] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0062.101] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0062.101] lstrlenW (lpString=".jpg") returned 4 [0062.101] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0062.102] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0062.102] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0062.102] lstrlenW (lpString=".doc") returned 4 [0062.102] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0062.102] lstrlenW (lpString=".docx") returned 5 [0062.102] lstrcmpiW (lpString1=".docx", lpString2="t.XML") returned -1 [0062.102] lstrlenW (lpString=".pdf") returned 4 [0062.102] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0062.102] lstrlenW (lpString=".xls") returned 4 [0062.102] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0062.102] lstrlenW (lpString=".xlsx") returned 5 [0062.102] lstrcmpiW (lpString1=".xlsx", lpString2="t.XML") returned -1 [0062.102] lstrlenW (lpString=".ppt") returned 4 [0062.102] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0062.102] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0062.102] lstrlenW (lpString=".zip") returned 4 [0062.102] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0062.102] lstrlenW (lpString=".rar") returned 4 [0062.102] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0062.102] lstrlenW (lpString=".bz2") returned 4 [0062.102] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0062.102] lstrlenW (lpString=".7z") returned 3 [0062.102] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0062.103] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0062.103] lstrlenW (lpString=".dbf") returned 4 [0062.103] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0062.103] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0062.103] lstrlenW (lpString=".1cd") returned 4 [0062.103] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0062.103] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0062.103] lstrlenW (lpString=".jpg") returned 4 [0062.103] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0062.126] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0062.126] lstrlenW (lpString="SETUP.XML") returned 9 [0062.126] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0062.131] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=9352) returned 1 [0062.145] CloseHandle (hObject=0x21c) returned 1 [0062.145] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml")) returned 0x20 [0062.145] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0062.146] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0062.146] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0062.146] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0062.146] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0062.146] GetLastError () returned 0x0 [0062.146] ReadFile (in: hFile=0x21c, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x2488, lpOverlapped=0x0) returned 1 [0062.156] WriteFile (in: hFile=0x218, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0x2490, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0x2490, lpOverlapped=0x0) returned 1 [0062.157] ReadFile (in: hFile=0x21c, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x0, lpOverlapped=0x0) returned 1 [0062.157] WriteFile (in: hFile=0x218, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0062.157] SetEndOfFile (hFile=0x218) returned 1 [0062.158] CloseHandle (hObject=0x218) returned 1 [0062.159] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0062.159] SetEndOfFile (hFile=0x21c) returned 1 [0062.160] CloseHandle (hObject=0x21c) returned 1 [0062.160] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0062.160] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml")) returned 1 [0062.161] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0062.161] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0062.161] lstrlenW (lpString=".doc") returned 4 [0062.161] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0062.161] lstrlenW (lpString=".docx") returned 5 [0062.161] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0062.161] lstrlenW (lpString=".pdf") returned 4 [0062.161] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0062.161] lstrlenW (lpString=".xls") returned 4 [0062.161] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0062.161] lstrlenW (lpString=".xlsx") returned 5 [0062.161] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0062.161] lstrlenW (lpString=".ppt") returned 4 [0062.161] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0062.161] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0062.161] lstrlenW (lpString=".zip") returned 4 [0062.161] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0062.161] lstrlenW (lpString=".rar") returned 4 [0062.161] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0062.161] lstrlenW (lpString=".bz2") returned 4 [0062.162] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0062.162] lstrlenW (lpString=".7z") returned 3 [0062.162] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0062.162] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0062.162] lstrlenW (lpString=".dbf") returned 4 [0062.162] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0062.162] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0062.162] lstrlenW (lpString=".1cd") returned 4 [0062.162] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0062.162] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0062.162] lstrlenW (lpString=".jpg") returned 4 [0062.162] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0062.162] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0062.162] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0062.162] lstrlenW (lpString=".doc") returned 4 [0062.162] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0062.162] lstrlenW (lpString=".docx") returned 5 [0062.162] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0062.162] lstrlenW (lpString=".pdf") returned 4 [0062.162] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0062.162] lstrlenW (lpString=".xls") returned 4 [0062.162] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0062.162] lstrlenW (lpString=".xlsx") returned 5 [0062.162] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0062.162] lstrlenW (lpString=".ppt") returned 4 [0062.163] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0062.163] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0062.163] lstrlenW (lpString=".zip") returned 4 [0062.163] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0062.163] lstrlenW (lpString=".rar") returned 4 [0062.163] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0062.163] lstrlenW (lpString=".bz2") returned 4 [0062.163] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0062.163] lstrlenW (lpString=".7z") returned 3 [0062.163] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0062.163] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0062.163] lstrlenW (lpString=".dbf") returned 4 [0062.163] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0062.163] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0062.163] lstrlenW (lpString=".1cd") returned 4 [0062.163] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0062.163] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0062.163] lstrlenW (lpString=".jpg") returned 4 [0062.163] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0062.163] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0062.163] lstrlenW (lpString="Office32WW.XML") returned 14 [0062.164] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0062.164] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=4274) returned 1 [0062.164] CloseHandle (hObject=0x21c) returned 1 [0062.164] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml")) returned 0x20 [0062.164] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0062.164] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0062.165] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0062.165] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0062.165] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0062.165] GetLastError () returned 0x0 [0062.165] ReadFile (in: hFile=0x21c, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x10b2, lpOverlapped=0x0) returned 1 [0062.183] WriteFile (in: hFile=0x218, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0x10c0, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0x10c0, lpOverlapped=0x0) returned 1 [0062.184] ReadFile (in: hFile=0x21c, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x0, lpOverlapped=0x0) returned 1 [0062.184] WriteFile (in: hFile=0x218, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0062.184] SetEndOfFile (hFile=0x218) returned 1 [0062.184] CloseHandle (hObject=0x218) returned 1 [0062.185] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0062.185] SetEndOfFile (hFile=0x21c) returned 1 [0062.186] CloseHandle (hObject=0x21c) returned 1 [0062.186] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0062.187] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml")) returned 1 [0062.187] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0062.187] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0062.187] lstrlenW (lpString=".doc") returned 4 [0062.187] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0062.187] lstrlenW (lpString=".docx") returned 5 [0062.187] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0062.187] lstrlenW (lpString=".pdf") returned 4 [0062.187] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0062.187] lstrlenW (lpString=".xls") returned 4 [0062.187] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0062.188] lstrlenW (lpString=".xlsx") returned 5 [0062.188] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0062.188] lstrlenW (lpString=".ppt") returned 4 [0062.188] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0062.188] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0062.188] lstrlenW (lpString=".zip") returned 4 [0062.188] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0062.188] lstrlenW (lpString=".rar") returned 4 [0062.188] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0062.188] lstrlenW (lpString=".bz2") returned 4 [0062.188] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0062.188] lstrlenW (lpString=".7z") returned 3 [0062.188] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0062.188] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0062.188] lstrlenW (lpString=".dbf") returned 4 [0062.188] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0062.188] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0062.188] lstrlenW (lpString=".1cd") returned 4 [0062.188] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0062.188] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0062.188] lstrlenW (lpString=".jpg") returned 4 [0062.188] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0062.188] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0062.188] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0062.188] lstrlenW (lpString=".doc") returned 4 [0062.189] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0062.189] lstrlenW (lpString=".docx") returned 5 [0062.189] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0062.189] lstrlenW (lpString=".pdf") returned 4 [0062.189] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0062.189] lstrlenW (lpString=".xls") returned 4 [0062.189] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0062.189] lstrlenW (lpString=".xlsx") returned 5 [0062.189] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0062.189] lstrlenW (lpString=".ppt") returned 4 [0062.189] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0062.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0062.189] lstrlenW (lpString=".zip") returned 4 [0062.189] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0062.189] lstrlenW (lpString=".rar") returned 4 [0062.189] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0062.189] lstrlenW (lpString=".bz2") returned 4 [0062.189] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0062.189] lstrlenW (lpString=".7z") returned 3 [0062.189] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0062.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0062.189] lstrlenW (lpString=".dbf") returned 4 [0062.189] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0062.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0062.189] lstrlenW (lpString=".1cd") returned 4 [0062.189] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0062.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0062.189] lstrlenW (lpString=".jpg") returned 4 [0062.190] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0062.190] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0062.190] lstrlenW (lpString="SETUP.XML") returned 9 [0062.190] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0062.319] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=1988) returned 1 [0062.319] CloseHandle (hObject=0x19c) returned 1 [0062.319] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml")) returned 0x20 [0062.319] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0062.319] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0062.319] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0062.319] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0062.319] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0062.320] GetLastError () returned 0x0 [0062.320] ReadFile (in: hFile=0x19c, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x7c4, lpOverlapped=0x0) returned 1 [0062.342] WriteFile (in: hFile=0x210, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0x7d0, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0x7d0, lpOverlapped=0x0) returned 1 [0062.350] ReadFile (in: hFile=0x19c, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x0, lpOverlapped=0x0) returned 1 [0062.350] WriteFile (in: hFile=0x210, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0062.350] SetEndOfFile (hFile=0x210) returned 1 [0062.351] CloseHandle (hObject=0x210) returned 1 [0062.358] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0062.358] SetEndOfFile (hFile=0x19c) returned 1 [0062.359] CloseHandle (hObject=0x19c) returned 1 [0062.359] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0062.360] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml")) returned 1 [0062.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0062.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0062.360] lstrlenW (lpString=".doc") returned 4 [0062.360] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0062.360] lstrlenW (lpString=".docx") returned 5 [0062.360] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0062.360] lstrlenW (lpString=".pdf") returned 4 [0062.360] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0062.360] lstrlenW (lpString=".xls") returned 4 [0062.360] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0062.360] lstrlenW (lpString=".xlsx") returned 5 [0062.360] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0062.360] lstrlenW (lpString=".ppt") returned 4 [0062.360] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0062.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0062.361] lstrlenW (lpString=".zip") returned 4 [0062.361] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0062.361] lstrlenW (lpString=".rar") returned 4 [0062.361] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0062.361] lstrlenW (lpString=".bz2") returned 4 [0062.361] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0062.361] lstrlenW (lpString=".7z") returned 3 [0062.361] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0062.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0062.361] lstrlenW (lpString=".dbf") returned 4 [0062.361] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0062.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0062.361] lstrlenW (lpString=".1cd") returned 4 [0062.361] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0062.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0062.361] lstrlenW (lpString=".jpg") returned 4 [0062.361] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0062.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0062.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0062.361] lstrlenW (lpString=".doc") returned 4 [0062.361] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0062.361] lstrlenW (lpString=".docx") returned 5 [0062.361] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0062.361] lstrlenW (lpString=".pdf") returned 4 [0062.361] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0062.361] lstrlenW (lpString=".xls") returned 4 [0062.361] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0062.361] lstrlenW (lpString=".xlsx") returned 5 [0062.361] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0062.362] lstrlenW (lpString=".ppt") returned 4 [0062.362] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0062.362] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0062.362] lstrlenW (lpString=".zip") returned 4 [0062.362] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0062.362] lstrlenW (lpString=".rar") returned 4 [0062.362] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0062.362] lstrlenW (lpString=".bz2") returned 4 [0062.362] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0062.362] lstrlenW (lpString=".7z") returned 3 [0062.362] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0062.362] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0062.362] lstrlenW (lpString=".dbf") returned 4 [0062.362] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0062.362] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0062.362] lstrlenW (lpString=".1cd") returned 4 [0062.362] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0062.362] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0062.362] lstrlenW (lpString=".jpg") returned 4 [0062.362] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0062.362] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0062.362] lstrlenW (lpString="PrjProrWW.XML") returned 13 [0062.362] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0062.388] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=6421) returned 1 [0062.388] CloseHandle (hObject=0x1ec) returned 1 [0062.388] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml")) returned 0x20 [0062.388] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0062.388] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0062.388] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0062.388] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0062.388] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0062.389] GetLastError () returned 0x0 [0062.389] ReadFile (in: hFile=0x1ec, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x1915, lpOverlapped=0x0) returned 1 [0062.391] WriteFile (in: hFile=0x188, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0x1920, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0x1920, lpOverlapped=0x0) returned 1 [0062.392] ReadFile (in: hFile=0x1ec, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x0, lpOverlapped=0x0) returned 1 [0062.392] WriteFile (in: hFile=0x188, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0xee, lpOverlapped=0x0) returned 1 [0062.392] SetEndOfFile (hFile=0x188) returned 1 [0062.393] CloseHandle (hObject=0x188) returned 1 [0062.398] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0062.398] SetEndOfFile (hFile=0x1ec) returned 1 [0062.399] CloseHandle (hObject=0x1ec) returned 1 [0062.399] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0062.399] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml")) returned 1 [0062.400] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0062.400] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0062.400] lstrlenW (lpString=".doc") returned 4 [0062.400] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0062.400] lstrlenW (lpString=".docx") returned 5 [0062.400] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0062.400] lstrlenW (lpString=".pdf") returned 4 [0062.400] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0062.400] lstrlenW (lpString=".xls") returned 4 [0062.400] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0062.400] lstrlenW (lpString=".xlsx") returned 5 [0062.400] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0062.400] lstrlenW (lpString=".ppt") returned 4 [0062.400] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0062.400] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0062.400] lstrlenW (lpString=".zip") returned 4 [0062.400] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0062.400] lstrlenW (lpString=".rar") returned 4 [0062.400] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0062.400] lstrlenW (lpString=".bz2") returned 4 [0062.400] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0062.400] lstrlenW (lpString=".7z") returned 3 [0062.401] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0062.401] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0062.401] lstrlenW (lpString=".dbf") returned 4 [0062.401] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0062.401] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0062.401] lstrlenW (lpString=".1cd") returned 4 [0062.401] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0062.401] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0062.401] lstrlenW (lpString=".jpg") returned 4 [0062.401] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0062.401] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0062.401] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0062.401] lstrlenW (lpString=".doc") returned 4 [0062.401] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0062.401] lstrlenW (lpString=".docx") returned 5 [0062.401] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0062.401] lstrlenW (lpString=".pdf") returned 4 [0062.401] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0062.401] lstrlenW (lpString=".xls") returned 4 [0062.401] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0062.401] lstrlenW (lpString=".xlsx") returned 5 [0062.401] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0062.401] lstrlenW (lpString=".ppt") returned 4 [0062.401] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0062.401] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0062.401] lstrlenW (lpString=".zip") returned 4 [0062.402] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0062.402] lstrlenW (lpString=".rar") returned 4 [0062.402] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0062.402] lstrlenW (lpString=".bz2") returned 4 [0062.402] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0062.402] lstrlenW (lpString=".7z") returned 3 [0062.402] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0062.402] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0062.402] lstrlenW (lpString=".dbf") returned 4 [0062.402] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0062.402] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0062.402] lstrlenW (lpString=".1cd") returned 4 [0062.402] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0062.402] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0062.402] lstrlenW (lpString=".jpg") returned 4 [0062.402] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0062.402] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0062.402] lstrlenW (lpString="ProjectMUI.XML") returned 14 [0062.402] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0062.403] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=1452) returned 1 [0062.403] CloseHandle (hObject=0x1ec) returned 1 [0062.403] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml")) returned 0x20 [0062.403] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0062.403] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0062.403] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0062.403] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0062.403] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0062.449] GetLastError () returned 0x0 [0062.449] ReadFile (in: hFile=0x1ec, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x5ac, lpOverlapped=0x0) returned 1 [0062.558] WriteFile (in: hFile=0x214, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0062.559] ReadFile (in: hFile=0x1ec, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x0, lpOverlapped=0x0) returned 1 [0062.559] WriteFile (in: hFile=0x214, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0062.559] SetEndOfFile (hFile=0x214) returned 1 [0062.559] CloseHandle (hObject=0x214) returned 1 [0062.566] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0062.566] SetEndOfFile (hFile=0x1ec) returned 1 [0062.567] CloseHandle (hObject=0x1ec) returned 1 [0062.567] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0062.567] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml")) returned 1 [0062.567] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0062.567] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0062.567] lstrlenW (lpString=".doc") returned 4 [0062.567] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0062.567] lstrlenW (lpString=".docx") returned 5 [0062.568] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0062.568] lstrlenW (lpString=".pdf") returned 4 [0062.568] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0062.568] lstrlenW (lpString=".xls") returned 4 [0062.568] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0062.568] lstrlenW (lpString=".xlsx") returned 5 [0062.568] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0062.568] lstrlenW (lpString=".ppt") returned 4 [0062.568] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0062.568] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0062.568] lstrlenW (lpString=".zip") returned 4 [0062.568] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0062.568] lstrlenW (lpString=".rar") returned 4 [0062.568] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0062.568] lstrlenW (lpString=".bz2") returned 4 [0062.568] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0062.568] lstrlenW (lpString=".7z") returned 3 [0062.568] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0062.568] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0062.568] lstrlenW (lpString=".dbf") returned 4 [0062.568] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0062.568] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0062.568] lstrlenW (lpString=".1cd") returned 4 [0062.568] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0062.568] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0062.568] lstrlenW (lpString=".jpg") returned 4 [0062.568] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0062.568] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0062.568] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0062.568] lstrlenW (lpString=".doc") returned 4 [0062.568] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0062.569] lstrlenW (lpString=".docx") returned 5 [0062.569] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0062.569] lstrlenW (lpString=".pdf") returned 4 [0062.569] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0062.569] lstrlenW (lpString=".xls") returned 4 [0062.569] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0062.569] lstrlenW (lpString=".xlsx") returned 5 [0062.569] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0062.569] lstrlenW (lpString=".ppt") returned 4 [0062.569] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0062.569] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0062.569] lstrlenW (lpString=".zip") returned 4 [0062.569] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0062.569] lstrlenW (lpString=".rar") returned 4 [0062.569] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0062.569] lstrlenW (lpString=".bz2") returned 4 [0062.569] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0062.569] lstrlenW (lpString=".7z") returned 3 [0062.569] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0062.569] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0062.569] lstrlenW (lpString=".dbf") returned 4 [0062.569] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0062.569] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0062.569] lstrlenW (lpString=".1cd") returned 4 [0062.569] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0062.569] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0062.569] lstrlenW (lpString=".jpg") returned 4 [0062.569] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0062.570] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0062.570] lstrlenW (lpString="Proof.XML") returned 9 [0062.570] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0062.570] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=1458) returned 1 [0062.570] CloseHandle (hObject=0x1ec) returned 1 [0062.570] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml")) returned 0x20 [0062.570] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0062.571] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0062.571] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0062.575] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0062.575] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0062.576] GetLastError () returned 0x0 [0062.576] ReadFile (in: hFile=0x1ec, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x5b2, lpOverlapped=0x0) returned 1 [0062.739] WriteFile (in: hFile=0x214, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0x5c0, lpOverlapped=0x0) returned 1 [0062.740] ReadFile (in: hFile=0x1ec, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x0, lpOverlapped=0x0) returned 1 [0062.741] WriteFile (in: hFile=0x214, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0062.741] SetEndOfFile (hFile=0x214) returned 1 [0062.741] CloseHandle (hObject=0x214) returned 1 [0062.742] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0062.742] SetEndOfFile (hFile=0x1ec) returned 1 [0062.743] CloseHandle (hObject=0x1ec) returned 1 [0062.743] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0062.744] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml")) returned 1 [0062.744] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0062.744] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0062.744] lstrlenW (lpString=".doc") returned 4 [0062.744] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0062.744] lstrlenW (lpString=".docx") returned 5 [0062.744] lstrcmpiW (lpString1=".docx", lpString2="f.XML") returned -1 [0062.744] lstrlenW (lpString=".pdf") returned 4 [0062.744] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0062.744] lstrlenW (lpString=".xls") returned 4 [0062.744] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0062.744] lstrlenW (lpString=".xlsx") returned 5 [0062.744] lstrcmpiW (lpString1=".xlsx", lpString2="f.XML") returned -1 [0062.744] lstrlenW (lpString=".ppt") returned 4 [0062.744] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0062.744] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0062.744] lstrlenW (lpString=".zip") returned 4 [0062.744] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0062.744] lstrlenW (lpString=".rar") returned 4 [0062.744] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0062.744] lstrlenW (lpString=".bz2") returned 4 [0062.744] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0062.744] lstrlenW (lpString=".7z") returned 3 [0062.744] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0062.744] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0062.744] lstrlenW (lpString=".dbf") returned 4 [0062.745] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0062.745] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0062.745] lstrlenW (lpString=".1cd") returned 4 [0062.745] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0062.745] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0062.745] lstrlenW (lpString=".jpg") returned 4 [0062.745] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0062.745] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0062.745] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0062.745] lstrlenW (lpString=".doc") returned 4 [0062.745] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0062.745] lstrlenW (lpString=".docx") returned 5 [0062.745] lstrcmpiW (lpString1=".docx", lpString2="f.XML") returned -1 [0062.745] lstrlenW (lpString=".pdf") returned 4 [0062.745] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0062.745] lstrlenW (lpString=".xls") returned 4 [0062.745] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0062.745] lstrlenW (lpString=".xlsx") returned 5 [0062.745] lstrcmpiW (lpString1=".xlsx", lpString2="f.XML") returned -1 [0062.745] lstrlenW (lpString=".ppt") returned 4 [0062.745] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0062.745] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0062.745] lstrlenW (lpString=".zip") returned 4 [0062.745] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0062.745] lstrlenW (lpString=".rar") returned 4 [0062.745] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0062.745] lstrlenW (lpString=".bz2") returned 4 [0062.745] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0062.745] lstrlenW (lpString=".7z") returned 3 [0062.745] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0062.745] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0062.745] lstrlenW (lpString=".dbf") returned 4 [0062.745] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0062.745] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0062.745] lstrlenW (lpString=".1cd") returned 4 [0062.746] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0062.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0062.746] lstrlenW (lpString=".jpg") returned 4 [0062.746] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0062.746] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0062.746] lstrlenW (lpString="Proofing.XML") returned 12 [0062.746] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0062.822] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=811) returned 1 [0062.822] CloseHandle (hObject=0x21c) returned 1 [0062.822] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml")) returned 0x20 [0062.822] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0062.822] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0062.822] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0062.823] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0062.823] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0062.823] GetLastError () returned 0x0 [0062.823] ReadFile (in: hFile=0x21c, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x32b, lpOverlapped=0x0) returned 1 [0062.833] WriteFile (in: hFile=0x198, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0x330, lpOverlapped=0x0) returned 1 [0062.834] ReadFile (in: hFile=0x21c, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x0, lpOverlapped=0x0) returned 1 [0062.835] WriteFile (in: hFile=0x198, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0xec, lpOverlapped=0x0) returned 1 [0062.835] SetEndOfFile (hFile=0x198) returned 1 [0062.841] CloseHandle (hObject=0x198) returned 1 [0062.841] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0062.841] SetEndOfFile (hFile=0x21c) returned 1 [0062.842] CloseHandle (hObject=0x21c) returned 1 [0062.842] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0062.843] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml")) returned 1 [0062.843] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0062.843] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0062.843] lstrlenW (lpString=".doc") returned 4 [0062.843] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0062.843] lstrlenW (lpString=".docx") returned 5 [0062.843] lstrcmpiW (lpString1=".docx", lpString2="g.XML") returned -1 [0062.843] lstrlenW (lpString=".pdf") returned 4 [0062.843] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0062.843] lstrlenW (lpString=".xls") returned 4 [0062.843] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0062.843] lstrlenW (lpString=".xlsx") returned 5 [0062.843] lstrcmpiW (lpString1=".xlsx", lpString2="g.XML") returned -1 [0062.843] lstrlenW (lpString=".ppt") returned 4 [0062.843] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0062.843] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0062.843] lstrlenW (lpString=".zip") returned 4 [0062.843] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0062.843] lstrlenW (lpString=".rar") returned 4 [0062.843] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0062.843] lstrlenW (lpString=".bz2") returned 4 [0062.843] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0062.843] lstrlenW (lpString=".7z") returned 3 [0062.843] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0062.843] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0062.844] lstrlenW (lpString=".dbf") returned 4 [0062.844] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0062.844] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0062.844] lstrlenW (lpString=".1cd") returned 4 [0062.844] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0062.844] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0062.844] lstrlenW (lpString=".jpg") returned 4 [0062.844] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0062.844] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0062.844] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0062.844] lstrlenW (lpString=".doc") returned 4 [0062.844] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0062.844] lstrlenW (lpString=".docx") returned 5 [0062.844] lstrcmpiW (lpString1=".docx", lpString2="g.XML") returned -1 [0062.844] lstrlenW (lpString=".pdf") returned 4 [0062.844] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0062.844] lstrlenW (lpString=".xls") returned 4 [0062.844] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0062.844] lstrlenW (lpString=".xlsx") returned 5 [0062.844] lstrcmpiW (lpString1=".xlsx", lpString2="g.XML") returned -1 [0062.844] lstrlenW (lpString=".ppt") returned 4 [0062.844] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0062.844] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0062.844] lstrlenW (lpString=".zip") returned 4 [0062.844] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0062.844] lstrlenW (lpString=".rar") returned 4 [0062.844] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0062.844] lstrlenW (lpString=".bz2") returned 4 [0062.844] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0062.844] lstrlenW (lpString=".7z") returned 3 [0062.844] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0062.844] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0062.844] lstrlenW (lpString=".dbf") returned 4 [0062.844] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0062.844] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0062.845] lstrlenW (lpString=".1cd") returned 4 [0062.845] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0062.845] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0062.845] lstrlenW (lpString=".jpg") returned 4 [0062.845] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0062.845] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0062.845] lstrlenW (lpString="ProPlusrWW.XML") returned 14 [0062.845] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0062.846] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=16852) returned 1 [0062.846] CloseHandle (hObject=0x21c) returned 1 [0062.847] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml")) returned 0x20 [0062.847] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0062.847] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0062.847] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0062.847] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0062.847] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0062.847] GetLastError () returned 0x0 [0062.847] ReadFile (in: hFile=0x21c, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x41d4, lpOverlapped=0x0) returned 1 [0062.904] WriteFile (in: hFile=0x198, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0x41e0, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0x41e0, lpOverlapped=0x0) returned 1 [0062.905] ReadFile (in: hFile=0x21c, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x0, lpOverlapped=0x0) returned 1 [0062.905] WriteFile (in: hFile=0x198, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0062.905] SetEndOfFile (hFile=0x198) returned 1 [0062.905] CloseHandle (hObject=0x198) returned 1 [0062.906] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0062.906] SetEndOfFile (hFile=0x21c) returned 1 [0062.907] CloseHandle (hObject=0x21c) returned 1 [0062.907] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0062.907] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml")) returned 1 [0062.907] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0062.907] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0062.907] lstrlenW (lpString=".doc") returned 4 [0062.907] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0062.907] lstrlenW (lpString=".docx") returned 5 [0062.908] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0062.908] lstrlenW (lpString=".pdf") returned 4 [0062.908] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0062.908] lstrlenW (lpString=".xls") returned 4 [0062.908] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0062.908] lstrlenW (lpString=".xlsx") returned 5 [0062.908] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0062.908] lstrlenW (lpString=".ppt") returned 4 [0062.908] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0062.908] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0062.908] lstrlenW (lpString=".zip") returned 4 [0062.908] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0062.908] lstrlenW (lpString=".rar") returned 4 [0062.908] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0062.908] lstrlenW (lpString=".bz2") returned 4 [0062.908] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0062.908] lstrlenW (lpString=".7z") returned 3 [0062.908] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0062.908] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0062.908] lstrlenW (lpString=".dbf") returned 4 [0062.908] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0062.908] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0062.908] lstrlenW (lpString=".1cd") returned 4 [0062.908] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0062.908] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0062.908] lstrlenW (lpString=".jpg") returned 4 [0062.908] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0062.908] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0062.908] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0062.908] lstrlenW (lpString=".doc") returned 4 [0062.908] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0062.908] lstrlenW (lpString=".docx") returned 5 [0062.909] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0062.909] lstrlenW (lpString=".pdf") returned 4 [0062.909] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0062.909] lstrlenW (lpString=".xls") returned 4 [0062.909] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0062.909] lstrlenW (lpString=".xlsx") returned 5 [0062.909] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0062.909] lstrlenW (lpString=".ppt") returned 4 [0062.909] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0062.909] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0062.909] lstrlenW (lpString=".zip") returned 4 [0062.909] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0062.909] lstrlenW (lpString=".rar") returned 4 [0062.909] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0062.909] lstrlenW (lpString=".bz2") returned 4 [0062.909] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0062.909] lstrlenW (lpString=".7z") returned 3 [0062.909] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0062.909] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0062.909] lstrlenW (lpString=".dbf") returned 4 [0062.909] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0062.909] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0062.909] lstrlenW (lpString=".1cd") returned 4 [0062.909] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0062.909] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0062.909] lstrlenW (lpString=".jpg") returned 4 [0062.909] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0062.909] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0062.910] lstrlenW (lpString="PublisherMUI.XML") returned 16 [0062.910] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0062.910] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=1450) returned 1 [0062.910] CloseHandle (hObject=0x21c) returned 1 [0062.910] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml")) returned 0x20 [0062.910] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0062.910] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0062.911] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0062.911] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0062.911] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0063.879] GetLastError () returned 0x0 [0063.879] ReadFile (in: hFile=0x21c, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x5aa, lpOverlapped=0x0) returned 1 [0063.902] WriteFile (in: hFile=0x1d4, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0064.226] ReadFile (in: hFile=0x21c, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x0, lpOverlapped=0x0) returned 1 [0064.226] WriteFile (in: hFile=0x1d4, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0064.227] SetEndOfFile (hFile=0x1d4) returned 1 [0064.227] CloseHandle (hObject=0x1d4) returned 1 [0064.227] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0064.227] SetEndOfFile (hFile=0x21c) returned 1 [0064.228] CloseHandle (hObject=0x21c) returned 1 [0064.228] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0064.229] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml")) returned 1 [0064.229] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0064.229] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0064.229] lstrlenW (lpString=".doc") returned 4 [0064.229] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0064.229] lstrlenW (lpString=".docx") returned 5 [0064.229] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0064.229] lstrlenW (lpString=".pdf") returned 4 [0064.229] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0064.229] lstrlenW (lpString=".xls") returned 4 [0064.229] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0064.229] lstrlenW (lpString=".xlsx") returned 5 [0064.229] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0064.229] lstrlenW (lpString=".ppt") returned 4 [0064.229] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0064.229] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0064.229] lstrlenW (lpString=".zip") returned 4 [0064.229] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0064.229] lstrlenW (lpString=".rar") returned 4 [0064.230] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0064.230] lstrlenW (lpString=".bz2") returned 4 [0064.230] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0064.230] lstrlenW (lpString=".7z") returned 3 [0064.230] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0064.230] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0064.230] lstrlenW (lpString=".dbf") returned 4 [0064.230] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0064.230] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0064.230] lstrlenW (lpString=".1cd") returned 4 [0064.230] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0064.230] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0064.230] lstrlenW (lpString=".jpg") returned 4 [0064.230] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0064.230] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0064.230] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0064.230] lstrlenW (lpString=".doc") returned 4 [0064.230] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0064.230] lstrlenW (lpString=".docx") returned 5 [0064.230] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0064.230] lstrlenW (lpString=".pdf") returned 4 [0064.230] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0064.230] lstrlenW (lpString=".xls") returned 4 [0064.230] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0064.230] lstrlenW (lpString=".xlsx") returned 5 [0064.230] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0064.230] lstrlenW (lpString=".ppt") returned 4 [0064.230] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0064.231] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0064.231] lstrlenW (lpString=".zip") returned 4 [0064.231] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0064.231] lstrlenW (lpString=".rar") returned 4 [0064.231] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0064.231] lstrlenW (lpString=".bz2") returned 4 [0064.231] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0064.231] lstrlenW (lpString=".7z") returned 3 [0064.231] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0064.231] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0064.231] lstrlenW (lpString=".dbf") returned 4 [0064.231] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0064.231] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0064.231] lstrlenW (lpString=".1cd") returned 4 [0064.231] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0064.231] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0064.231] lstrlenW (lpString=".jpg") returned 4 [0064.231] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0064.231] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0064.231] lstrlenW (lpString="SETUP.XML") returned 9 [0064.231] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0064.234] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=1608) returned 1 [0064.234] CloseHandle (hObject=0x21c) returned 1 [0064.234] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml")) returned 0x20 [0064.234] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0064.234] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0064.234] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0064.234] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0064.236] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0064.236] GetLastError () returned 0x0 [0064.236] ReadFile (in: hFile=0x21c, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x648, lpOverlapped=0x0) returned 1 [0064.269] WriteFile (in: hFile=0x1d4, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0x650, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0x650, lpOverlapped=0x0) returned 1 [0064.270] ReadFile (in: hFile=0x21c, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x0, lpOverlapped=0x0) returned 1 [0064.271] WriteFile (in: hFile=0x1d4, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0064.271] SetEndOfFile (hFile=0x1d4) returned 1 [0064.271] CloseHandle (hObject=0x1d4) returned 1 [0064.271] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0064.271] SetEndOfFile (hFile=0x21c) returned 1 [0064.273] CloseHandle (hObject=0x21c) returned 1 [0064.273] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0064.273] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml")) returned 1 [0064.273] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0064.273] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0064.273] lstrlenW (lpString=".doc") returned 4 [0064.273] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0064.274] lstrlenW (lpString=".docx") returned 5 [0064.274] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0064.274] lstrlenW (lpString=".pdf") returned 4 [0064.274] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0064.274] lstrlenW (lpString=".xls") returned 4 [0064.274] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0064.274] lstrlenW (lpString=".xlsx") returned 5 [0064.274] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0064.274] lstrlenW (lpString=".ppt") returned 4 [0064.274] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0064.274] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0064.274] lstrlenW (lpString=".zip") returned 4 [0064.274] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0064.274] lstrlenW (lpString=".rar") returned 4 [0064.274] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0064.274] lstrlenW (lpString=".bz2") returned 4 [0064.274] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0064.274] lstrlenW (lpString=".7z") returned 3 [0064.274] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0064.274] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0064.274] lstrlenW (lpString=".dbf") returned 4 [0064.274] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0064.274] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0064.274] lstrlenW (lpString=".1cd") returned 4 [0064.274] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0064.275] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0064.275] lstrlenW (lpString=".jpg") returned 4 [0064.275] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0064.275] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0064.275] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0064.275] lstrlenW (lpString=".doc") returned 4 [0064.275] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0064.275] lstrlenW (lpString=".docx") returned 5 [0064.275] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0064.275] lstrlenW (lpString=".pdf") returned 4 [0064.275] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0064.275] lstrlenW (lpString=".xls") returned 4 [0064.275] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0064.275] lstrlenW (lpString=".xlsx") returned 5 [0064.275] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0064.275] lstrlenW (lpString=".ppt") returned 4 [0064.275] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0064.275] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0064.275] lstrlenW (lpString=".zip") returned 4 [0064.275] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0064.275] lstrlenW (lpString=".rar") returned 4 [0064.275] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0064.275] lstrlenW (lpString=".bz2") returned 4 [0064.275] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0064.276] lstrlenW (lpString=".7z") returned 3 [0064.276] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0064.276] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0064.276] lstrlenW (lpString=".dbf") returned 4 [0064.276] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0064.276] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0064.276] lstrlenW (lpString=".1cd") returned 4 [0064.276] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0064.276] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0064.276] lstrlenW (lpString=".jpg") returned 4 [0064.276] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0064.276] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0064.276] lstrlenW (lpString="SETUP.XML") returned 9 [0064.276] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0064.280] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=6241) returned 1 [0064.280] CloseHandle (hObject=0x21c) returned 1 [0064.280] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml")) returned 0x20 [0064.280] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0064.280] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0064.280] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0064.280] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0064.280] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0064.281] GetLastError () returned 0x0 [0064.281] ReadFile (in: hFile=0x21c, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x1861, lpOverlapped=0x0) returned 1 [0064.877] WriteFile (in: hFile=0x1d4, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0x1870, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0x1870, lpOverlapped=0x0) returned 1 [0065.284] ReadFile (in: hFile=0x21c, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x0, lpOverlapped=0x0) returned 1 [0065.284] WriteFile (in: hFile=0x1d4, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0065.284] SetEndOfFile (hFile=0x1d4) returned 1 [0065.284] CloseHandle (hObject=0x1d4) returned 1 [0065.284] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0065.284] SetEndOfFile (hFile=0x21c) returned 1 [0065.285] CloseHandle (hObject=0x21c) returned 1 [0065.285] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0065.285] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml")) returned 1 [0065.286] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0065.286] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0065.286] lstrlenW (lpString=".doc") returned 4 [0065.286] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0065.286] lstrlenW (lpString=".docx") returned 5 [0065.286] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0065.286] lstrlenW (lpString=".pdf") returned 4 [0065.286] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0065.286] lstrlenW (lpString=".xls") returned 4 [0065.286] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0065.286] lstrlenW (lpString=".xlsx") returned 5 [0065.286] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0065.286] lstrlenW (lpString=".ppt") returned 4 [0065.286] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0065.286] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0065.286] lstrlenW (lpString=".zip") returned 4 [0065.286] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0065.286] lstrlenW (lpString=".rar") returned 4 [0065.286] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0065.286] lstrlenW (lpString=".bz2") returned 4 [0065.286] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0065.286] lstrlenW (lpString=".7z") returned 3 [0065.286] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0065.286] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0065.286] lstrlenW (lpString=".dbf") returned 4 [0065.286] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0065.286] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0065.286] lstrlenW (lpString=".1cd") returned 4 [0065.286] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0065.287] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0065.287] lstrlenW (lpString=".jpg") returned 4 [0065.287] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0065.287] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0065.287] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0065.287] lstrlenW (lpString=".doc") returned 4 [0065.287] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0065.287] lstrlenW (lpString=".docx") returned 5 [0065.287] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0065.287] lstrlenW (lpString=".pdf") returned 4 [0065.287] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0065.287] lstrlenW (lpString=".xls") returned 4 [0065.287] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0065.287] lstrlenW (lpString=".xlsx") returned 5 [0065.287] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0065.287] lstrlenW (lpString=".ppt") returned 4 [0065.287] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0065.287] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0065.287] lstrlenW (lpString=".zip") returned 4 [0065.287] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0065.287] lstrlenW (lpString=".rar") returned 4 [0065.287] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0065.287] lstrlenW (lpString=".bz2") returned 4 [0065.287] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0065.287] lstrlenW (lpString=".7z") returned 3 [0065.287] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0065.287] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0065.287] lstrlenW (lpString=".dbf") returned 4 [0065.287] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0065.288] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0065.288] lstrlenW (lpString=".1cd") returned 4 [0065.288] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0065.288] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0065.288] lstrlenW (lpString=".jpg") returned 4 [0065.288] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0065.288] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0065.288] lstrlenW (lpString="STOCKS.XML") returned 10 [0065.288] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0066.814] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=2687) returned 1 [0066.814] CloseHandle (hObject=0x1ac) returned 1 [0066.814] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml")) returned 0x20 [0066.815] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0066.815] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0066.815] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0066.815] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0066.815] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0066.815] GetLastError () returned 0x0 [0066.815] ReadFile (in: hFile=0x1ac, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0xa7f, lpOverlapped=0x0) returned 1 [0066.819] WriteFile (in: hFile=0x20c, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0xa80, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0xa80, lpOverlapped=0x0) returned 1 [0066.821] ReadFile (in: hFile=0x1ac, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x0, lpOverlapped=0x0) returned 1 [0066.821] WriteFile (in: hFile=0x20c, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0066.821] SetEndOfFile (hFile=0x20c) returned 1 [0066.821] CloseHandle (hObject=0x20c) returned 1 [0066.821] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0066.821] SetEndOfFile (hFile=0x1ac) returned 1 [0066.823] CloseHandle (hObject=0x1ac) returned 1 [0066.823] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0066.823] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml")) returned 1 [0066.823] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0066.823] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0066.823] lstrlenW (lpString=".doc") returned 4 [0066.823] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0066.823] lstrlenW (lpString=".docx") returned 5 [0066.823] lstrcmpiW (lpString1=".docx", lpString2="S.XML") returned -1 [0066.824] lstrlenW (lpString=".pdf") returned 4 [0066.824] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0066.824] lstrlenW (lpString=".xls") returned 4 [0066.824] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0066.824] lstrlenW (lpString=".xlsx") returned 5 [0066.824] lstrcmpiW (lpString1=".xlsx", lpString2="S.XML") returned -1 [0066.824] lstrlenW (lpString=".ppt") returned 4 [0066.824] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0066.824] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0066.824] lstrlenW (lpString=".zip") returned 4 [0066.824] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0066.824] lstrlenW (lpString=".rar") returned 4 [0066.824] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0066.824] lstrlenW (lpString=".bz2") returned 4 [0066.824] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0066.824] lstrlenW (lpString=".7z") returned 3 [0066.824] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0066.825] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0066.825] lstrlenW (lpString=".dbf") returned 4 [0066.825] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0066.825] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0066.825] lstrlenW (lpString=".1cd") returned 4 [0066.825] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0066.825] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0066.825] lstrlenW (lpString=".jpg") returned 4 [0066.825] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0066.825] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0066.825] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0066.825] lstrlenW (lpString=".doc") returned 4 [0066.825] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0066.825] lstrlenW (lpString=".docx") returned 5 [0066.825] lstrcmpiW (lpString1=".docx", lpString2="S.XML") returned -1 [0066.825] lstrlenW (lpString=".pdf") returned 4 [0066.825] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0066.825] lstrlenW (lpString=".xls") returned 4 [0066.825] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0066.825] lstrlenW (lpString=".xlsx") returned 5 [0066.826] lstrcmpiW (lpString1=".xlsx", lpString2="S.XML") returned -1 [0066.826] lstrlenW (lpString=".ppt") returned 4 [0066.826] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0066.826] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0066.826] lstrlenW (lpString=".zip") returned 4 [0066.826] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0066.826] lstrlenW (lpString=".rar") returned 4 [0066.826] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0066.826] lstrlenW (lpString=".bz2") returned 4 [0066.826] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0066.826] lstrlenW (lpString=".7z") returned 3 [0066.826] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0066.826] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0066.826] lstrlenW (lpString=".dbf") returned 4 [0066.826] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0066.826] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0066.826] lstrlenW (lpString=".1cd") returned 4 [0066.826] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0066.826] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0066.826] lstrlenW (lpString=".jpg") returned 4 [0066.826] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0066.827] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0066.827] lstrlenW (lpString="TIME.XML") returned 8 [0066.827] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0066.828] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=8564) returned 1 [0066.828] CloseHandle (hObject=0x1ac) returned 1 [0066.828] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml")) returned 0x20 [0066.828] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0066.828] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0066.828] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0066.828] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0066.828] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0066.829] GetLastError () returned 0x0 [0066.829] ReadFile (in: hFile=0x1ac, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x2174, lpOverlapped=0x0) returned 1 [0066.832] WriteFile (in: hFile=0x20c, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0x2180, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0x2180, lpOverlapped=0x0) returned 1 [0066.835] ReadFile (in: hFile=0x1ac, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x0, lpOverlapped=0x0) returned 1 [0066.835] WriteFile (in: hFile=0x20c, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0xe4, lpOverlapped=0x0) returned 1 [0066.835] SetEndOfFile (hFile=0x20c) returned 1 [0066.835] CloseHandle (hObject=0x20c) returned 1 [0066.835] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0066.835] SetEndOfFile (hFile=0x1ac) returned 1 [0066.836] CloseHandle (hObject=0x1ac) returned 1 [0066.836] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0066.837] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml")) returned 1 [0066.837] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0066.837] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0066.837] lstrlenW (lpString=".doc") returned 4 [0066.837] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0066.837] lstrlenW (lpString=".docx") returned 5 [0066.837] lstrcmpiW (lpString1=".docx", lpString2="E.XML") returned -1 [0066.837] lstrlenW (lpString=".pdf") returned 4 [0066.837] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0066.837] lstrlenW (lpString=".xls") returned 4 [0066.837] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0066.837] lstrlenW (lpString=".xlsx") returned 5 [0066.837] lstrcmpiW (lpString1=".xlsx", lpString2="E.XML") returned -1 [0066.837] lstrlenW (lpString=".ppt") returned 4 [0066.837] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0066.837] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0066.837] lstrlenW (lpString=".zip") returned 4 [0066.837] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0066.838] lstrlenW (lpString=".rar") returned 4 [0066.838] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0066.838] lstrlenW (lpString=".bz2") returned 4 [0066.838] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0066.838] lstrlenW (lpString=".7z") returned 3 [0066.838] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0066.838] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0066.838] lstrlenW (lpString=".dbf") returned 4 [0066.838] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0066.838] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0066.838] lstrlenW (lpString=".1cd") returned 4 [0066.838] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0066.838] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0066.838] lstrlenW (lpString=".jpg") returned 4 [0066.838] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0066.838] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0066.838] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0066.838] lstrlenW (lpString=".doc") returned 4 [0066.838] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0066.838] lstrlenW (lpString=".docx") returned 5 [0066.838] lstrcmpiW (lpString1=".docx", lpString2="E.XML") returned -1 [0066.838] lstrlenW (lpString=".pdf") returned 4 [0066.839] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0066.839] lstrlenW (lpString=".xls") returned 4 [0066.839] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0066.839] lstrlenW (lpString=".xlsx") returned 5 [0066.839] lstrcmpiW (lpString1=".xlsx", lpString2="E.XML") returned -1 [0066.839] lstrlenW (lpString=".ppt") returned 4 [0066.839] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0066.839] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0066.839] lstrlenW (lpString=".zip") returned 4 [0066.839] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0066.839] lstrlenW (lpString=".rar") returned 4 [0066.839] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0066.839] lstrlenW (lpString=".bz2") returned 4 [0066.839] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0066.839] lstrlenW (lpString=".7z") returned 3 [0066.839] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0066.839] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0066.839] lstrlenW (lpString=".dbf") returned 4 [0066.839] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0066.839] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0066.839] lstrlenW (lpString=".1cd") returned 4 [0066.839] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0066.839] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0066.839] lstrlenW (lpString=".jpg") returned 4 [0066.839] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0066.840] lstrcmpiW (lpString1=".XSL", lpString2=".bmd") returned 1 [0066.840] lstrlenW (lpString="BASMLA.XSL") returned 10 [0066.840] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0066.840] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=227311) returned 1 [0066.840] CloseHandle (hObject=0x1ac) returned 1 [0066.841] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl")) returned 0x20 [0066.841] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0066.841] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0066.841] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0066.841] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0066.841] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0066.841] GetLastError () returned 0x0 [0066.842] ReadFile (in: hFile=0x1ac, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x377ef, lpOverlapped=0x0) returned 1 [0066.849] WriteFile (in: hFile=0x20c, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0x377f0, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0x377f0, lpOverlapped=0x0) returned 1 [0067.053] ReadFile (in: hFile=0x1ac, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x0, lpOverlapped=0x0) returned 1 [0067.053] WriteFile (in: hFile=0x20c, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0067.053] SetEndOfFile (hFile=0x20c) returned 1 [0067.053] CloseHandle (hObject=0x20c) returned 1 [0067.053] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.054] SetEndOfFile (hFile=0x1ac) returned 1 [0067.056] CloseHandle (hObject=0x1ac) returned 1 [0067.056] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0067.056] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl")) returned 1 [0067.056] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0067.056] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0067.056] lstrlenW (lpString=".doc") returned 4 [0067.056] lstrcmpiW (lpString1=".doc", lpString2=".XSL") returned -1 [0067.056] lstrlenW (lpString=".docx") returned 5 [0067.056] lstrcmpiW (lpString1=".docx", lpString2="A.XSL") returned -1 [0067.057] lstrlenW (lpString=".pdf") returned 4 [0067.057] lstrcmpiW (lpString1=".pdf", lpString2=".XSL") returned -1 [0067.057] lstrlenW (lpString=".xls") returned 4 [0067.057] lstrcmpiW (lpString1=".xls", lpString2=".XSL") returned -1 [0067.057] lstrlenW (lpString=".xlsx") returned 5 [0067.057] lstrcmpiW (lpString1=".xlsx", lpString2="A.XSL") returned -1 [0067.057] lstrlenW (lpString=".ppt") returned 4 [0067.057] lstrcmpiW (lpString1=".ppt", lpString2=".XSL") returned -1 [0067.057] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0067.057] lstrlenW (lpString=".zip") returned 4 [0067.057] lstrcmpiW (lpString1=".zip", lpString2=".XSL") returned 1 [0067.057] lstrlenW (lpString=".rar") returned 4 [0067.057] lstrcmpiW (lpString1=".rar", lpString2=".XSL") returned -1 [0067.057] lstrlenW (lpString=".bz2") returned 4 [0067.057] lstrcmpiW (lpString1=".bz2", lpString2=".XSL") returned -1 [0067.057] lstrlenW (lpString=".7z") returned 3 [0067.057] lstrcmpiW (lpString1=".7z", lpString2="XSL") returned -1 [0067.057] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0067.057] lstrlenW (lpString=".dbf") returned 4 [0067.057] lstrcmpiW (lpString1=".dbf", lpString2=".XSL") returned -1 [0067.057] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0067.057] lstrlenW (lpString=".1cd") returned 4 [0067.057] lstrcmpiW (lpString1=".1cd", lpString2=".XSL") returned -1 [0067.057] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0067.057] lstrlenW (lpString=".jpg") returned 4 [0067.057] lstrcmpiW (lpString1=".jpg", lpString2=".XSL") returned -1 [0067.057] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0067.057] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0067.057] lstrlenW (lpString=".doc") returned 4 [0067.057] lstrcmpiW (lpString1=".doc", lpString2=".XSL") returned -1 [0067.058] lstrlenW (lpString=".docx") returned 5 [0067.058] lstrcmpiW (lpString1=".docx", lpString2="A.XSL") returned -1 [0067.058] lstrlenW (lpString=".pdf") returned 4 [0067.058] lstrcmpiW (lpString1=".pdf", lpString2=".XSL") returned -1 [0067.058] lstrlenW (lpString=".xls") returned 4 [0067.058] lstrcmpiW (lpString1=".xls", lpString2=".XSL") returned -1 [0067.058] lstrlenW (lpString=".xlsx") returned 5 [0067.058] lstrcmpiW (lpString1=".xlsx", lpString2="A.XSL") returned -1 [0067.058] lstrlenW (lpString=".ppt") returned 4 [0067.058] lstrcmpiW (lpString1=".ppt", lpString2=".XSL") returned -1 [0067.058] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0067.058] lstrlenW (lpString=".zip") returned 4 [0067.058] lstrcmpiW (lpString1=".zip", lpString2=".XSL") returned 1 [0067.058] lstrlenW (lpString=".rar") returned 4 [0067.058] lstrcmpiW (lpString1=".rar", lpString2=".XSL") returned -1 [0067.071] lstrlenW (lpString=".bz2") returned 4 [0067.071] lstrcmpiW (lpString1=".bz2", lpString2=".XSL") returned -1 [0067.071] lstrlenW (lpString=".7z") returned 3 [0067.071] lstrcmpiW (lpString1=".7z", lpString2="XSL") returned -1 [0067.071] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0067.071] lstrlenW (lpString=".dbf") returned 4 [0067.071] lstrcmpiW (lpString1=".dbf", lpString2=".XSL") returned -1 [0067.071] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0067.071] lstrlenW (lpString=".1cd") returned 4 [0067.071] lstrcmpiW (lpString1=".1cd", lpString2=".XSL") returned -1 [0067.071] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0067.071] lstrlenW (lpString=".jpg") returned 4 [0067.071] lstrcmpiW (lpString1=".jpg", lpString2=".XSL") returned -1 [0067.071] lstrcmpiW (lpString1=".emf", lpString2=".bmd") returned 1 [0067.071] lstrlenW (lpString="Memo.emf") returned 8 [0067.071] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\memo.emf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0067.547] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=152300) returned 1 [0067.547] CloseHandle (hObject=0x1f0) returned 1 [0067.547] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\memo.emf")) returned 0x20 [0067.548] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\memo.emf.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0067.548] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\memo.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0067.548] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0067.548] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0067.548] lstrlenW (lpString=".doc") returned 4 [0067.548] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0067.548] lstrlenW (lpString=".docx") returned 5 [0067.548] lstrcmpiW (lpString1=".docx", lpString2="o.emf") returned -1 [0067.548] lstrlenW (lpString=".pdf") returned 4 [0067.548] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0067.548] lstrlenW (lpString=".xls") returned 4 [0067.548] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0067.548] lstrlenW (lpString=".xlsx") returned 5 [0067.548] lstrcmpiW (lpString1=".xlsx", lpString2="o.emf") returned -1 [0067.548] lstrlenW (lpString=".ppt") returned 4 [0067.548] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0067.548] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0067.548] lstrlenW (lpString=".zip") returned 4 [0067.548] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0067.549] lstrlenW (lpString=".rar") returned 4 [0067.549] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0067.549] lstrlenW (lpString=".bz2") returned 4 [0067.549] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0067.549] lstrlenW (lpString=".7z") returned 3 [0067.549] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0067.549] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0067.549] lstrlenW (lpString=".dbf") returned 4 [0067.549] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0067.549] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0067.549] lstrlenW (lpString=".1cd") returned 4 [0067.549] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0067.549] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0067.549] lstrlenW (lpString=".jpg") returned 4 [0067.549] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0067.549] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0067.549] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0067.549] lstrlenW (lpString=".doc") returned 4 [0067.549] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0067.549] lstrlenW (lpString=".docx") returned 5 [0067.550] lstrcmpiW (lpString1=".docx", lpString2="o.emf") returned -1 [0067.550] lstrlenW (lpString=".pdf") returned 4 [0067.550] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0067.550] lstrlenW (lpString=".xls") returned 4 [0067.550] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0067.550] lstrlenW (lpString=".xlsx") returned 5 [0067.550] lstrcmpiW (lpString1=".xlsx", lpString2="o.emf") returned -1 [0067.550] lstrlenW (lpString=".ppt") returned 4 [0067.550] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0067.550] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0067.550] lstrlenW (lpString=".zip") returned 4 [0067.550] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0067.550] lstrlenW (lpString=".rar") returned 4 [0067.550] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0067.550] lstrlenW (lpString=".bz2") returned 4 [0067.550] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0067.550] lstrlenW (lpString=".7z") returned 3 [0067.550] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0067.550] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0067.550] lstrlenW (lpString=".dbf") returned 4 [0067.550] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0067.550] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0067.551] lstrlenW (lpString=".1cd") returned 4 [0067.551] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0067.551] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0067.551] lstrlenW (lpString=".jpg") returned 4 [0067.551] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0067.551] lstrcmpiW (lpString1=".emf", lpString2=".bmd") returned 1 [0067.551] lstrlenW (lpString="Month_Calendar.emf") returned 18 [0067.551] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\month_calendar.emf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0067.552] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=4192) returned 1 [0067.552] CloseHandle (hObject=0x1f0) returned 1 [0067.552] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\month_calendar.emf")) returned 0x20 [0067.552] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\month_calendar.emf.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0067.552] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\month_calendar.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0067.552] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf") returned 76 [0067.552] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf") returned 76 [0067.552] lstrlenW (lpString=".doc") returned 4 [0067.552] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0067.552] lstrlenW (lpString=".docx") returned 5 [0067.552] lstrcmpiW (lpString1=".docx", lpString2="r.emf") returned -1 [0067.552] lstrlenW (lpString=".pdf") returned 4 [0067.552] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0067.552] lstrlenW (lpString=".xls") returned 4 [0067.553] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0067.553] lstrlenW (lpString=".xlsx") returned 5 [0067.553] lstrcmpiW (lpString1=".xlsx", lpString2="r.emf") returned -1 [0067.553] lstrlenW (lpString=".ppt") returned 4 [0067.553] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0067.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf") returned 76 [0067.553] lstrlenW (lpString=".zip") returned 4 [0067.553] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0067.553] lstrlenW (lpString=".rar") returned 4 [0067.553] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0067.553] lstrlenW (lpString=".bz2") returned 4 [0067.553] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0067.553] lstrlenW (lpString=".7z") returned 3 [0067.553] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0067.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf") returned 76 [0067.553] lstrlenW (lpString=".dbf") returned 4 [0067.553] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0067.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf") returned 76 [0067.553] lstrlenW (lpString=".1cd") returned 4 [0067.553] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0067.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf") returned 76 [0067.553] lstrlenW (lpString=".jpg") returned 4 [0067.553] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0067.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf") returned 76 [0067.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf") returned 76 [0067.554] lstrlenW (lpString=".doc") returned 4 [0067.554] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0067.554] lstrlenW (lpString=".docx") returned 5 [0067.554] lstrcmpiW (lpString1=".docx", lpString2="r.emf") returned -1 [0067.554] lstrlenW (lpString=".pdf") returned 4 [0067.554] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0067.554] lstrlenW (lpString=".xls") returned 4 [0067.554] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0067.554] lstrlenW (lpString=".xlsx") returned 5 [0067.554] lstrcmpiW (lpString1=".xlsx", lpString2="r.emf") returned -1 [0067.554] lstrlenW (lpString=".ppt") returned 4 [0067.554] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0067.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf") returned 76 [0067.554] lstrlenW (lpString=".zip") returned 4 [0067.555] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0067.555] lstrlenW (lpString=".rar") returned 4 [0067.555] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0067.555] lstrlenW (lpString=".bz2") returned 4 [0067.555] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0067.555] lstrlenW (lpString=".7z") returned 3 [0067.555] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0067.555] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf") returned 76 [0067.555] lstrlenW (lpString=".dbf") returned 4 [0067.555] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0067.555] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf") returned 76 [0067.555] lstrlenW (lpString=".1cd") returned 4 [0067.555] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0067.555] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf") returned 76 [0067.555] lstrlenW (lpString=".jpg") returned 4 [0067.555] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0067.556] lstrcmpiW (lpString1=".emf", lpString2=".bmd") returned 1 [0067.556] lstrlenW (lpString="Music.emf") returned 9 [0067.556] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\music.emf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0067.557] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=26036) returned 1 [0067.557] CloseHandle (hObject=0x1f0) returned 1 [0067.558] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\music.emf")) returned 0x20 [0067.558] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\music.emf.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0067.558] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\music.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0067.558] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf") returned 67 [0067.558] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf") returned 67 [0067.558] lstrlenW (lpString=".doc") returned 4 [0067.558] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0067.558] lstrlenW (lpString=".docx") returned 5 [0067.558] lstrcmpiW (lpString1=".docx", lpString2="c.emf") returned -1 [0067.558] lstrlenW (lpString=".pdf") returned 4 [0067.558] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0067.558] lstrlenW (lpString=".xls") returned 4 [0067.558] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0067.558] lstrlenW (lpString=".xlsx") returned 5 [0067.558] lstrcmpiW (lpString1=".xlsx", lpString2="c.emf") returned -1 [0067.558] lstrlenW (lpString=".ppt") returned 4 [0067.559] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0067.559] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf") returned 67 [0067.559] lstrlenW (lpString=".zip") returned 4 [0067.559] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0067.559] lstrlenW (lpString=".rar") returned 4 [0067.559] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0067.559] lstrlenW (lpString=".bz2") returned 4 [0067.559] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0067.559] lstrlenW (lpString=".7z") returned 3 [0067.559] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0067.559] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf") returned 67 [0067.559] lstrlenW (lpString=".dbf") returned 4 [0067.559] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0067.559] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf") returned 67 [0067.559] lstrlenW (lpString=".1cd") returned 4 [0067.559] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0067.559] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf") returned 67 [0067.559] lstrlenW (lpString=".jpg") returned 4 [0067.559] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0067.559] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf") returned 67 [0067.559] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf") returned 67 [0067.560] lstrlenW (lpString=".doc") returned 4 [0067.560] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0067.560] lstrlenW (lpString=".docx") returned 5 [0067.560] lstrcmpiW (lpString1=".docx", lpString2="c.emf") returned -1 [0067.560] lstrlenW (lpString=".pdf") returned 4 [0067.560] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0067.560] lstrlenW (lpString=".xls") returned 4 [0067.560] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0067.560] lstrlenW (lpString=".xlsx") returned 5 [0067.560] lstrcmpiW (lpString1=".xlsx", lpString2="c.emf") returned -1 [0067.560] lstrlenW (lpString=".ppt") returned 4 [0067.560] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0067.560] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf") returned 67 [0067.560] lstrlenW (lpString=".zip") returned 4 [0067.560] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0067.560] lstrlenW (lpString=".rar") returned 4 [0067.560] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0067.560] lstrlenW (lpString=".bz2") returned 4 [0067.560] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0067.560] lstrlenW (lpString=".7z") returned 3 [0067.560] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0067.561] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf") returned 67 [0067.561] lstrlenW (lpString=".dbf") returned 4 [0067.561] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0067.561] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf") returned 67 [0067.561] lstrlenW (lpString=".1cd") returned 4 [0067.561] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0067.561] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf") returned 67 [0067.561] lstrlenW (lpString=".jpg") returned 4 [0067.561] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0067.561] lstrcmpiW (lpString1=".jpg", lpString2=".bmd") returned 1 [0067.561] lstrlenW (lpString="Notebook.jpg") returned 12 [0067.561] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\notebook.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0067.568] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=2950) returned 1 [0067.568] CloseHandle (hObject=0x1f8) returned 1 [0067.569] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\notebook.jpg")) returned 0x20 [0067.569] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\notebook.jpg.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0067.569] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\notebook.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0067.569] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg") returned 70 [0067.569] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg") returned 70 [0067.569] lstrlenW (lpString=".doc") returned 4 [0067.569] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0067.569] lstrlenW (lpString=".docx") returned 5 [0067.569] lstrcmpiW (lpString1=".docx", lpString2="k.jpg") returned -1 [0067.569] lstrlenW (lpString=".pdf") returned 4 [0067.569] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0067.569] lstrlenW (lpString=".xls") returned 4 [0067.569] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0067.569] lstrlenW (lpString=".xlsx") returned 5 [0067.569] lstrcmpiW (lpString1=".xlsx", lpString2="k.jpg") returned -1 [0067.569] lstrlenW (lpString=".ppt") returned 4 [0067.569] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0067.569] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg") returned 70 [0067.569] lstrlenW (lpString=".zip") returned 4 [0067.569] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0067.569] lstrlenW (lpString=".rar") returned 4 [0067.570] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0067.570] lstrlenW (lpString=".bz2") returned 4 [0067.570] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0067.570] lstrlenW (lpString=".7z") returned 3 [0067.570] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0067.570] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg") returned 70 [0067.570] lstrlenW (lpString=".dbf") returned 4 [0067.570] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0067.570] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg") returned 70 [0067.570] lstrlenW (lpString=".1cd") returned 4 [0067.570] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0067.570] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg") returned 70 [0067.570] lstrlenW (lpString=".jpg") returned 4 [0067.570] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0067.570] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg") returned 70 [0067.570] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg") returned 70 [0067.570] lstrlenW (lpString=".doc") returned 4 [0067.570] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0067.570] lstrlenW (lpString=".docx") returned 5 [0067.570] lstrcmpiW (lpString1=".docx", lpString2="k.jpg") returned -1 [0067.570] lstrlenW (lpString=".pdf") returned 4 [0067.570] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0067.570] lstrlenW (lpString=".xls") returned 4 [0067.570] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0067.570] lstrlenW (lpString=".xlsx") returned 5 [0067.570] lstrcmpiW (lpString1=".xlsx", lpString2="k.jpg") returned -1 [0067.571] lstrlenW (lpString=".ppt") returned 4 [0067.571] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0067.571] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg") returned 70 [0067.571] lstrlenW (lpString=".zip") returned 4 [0067.571] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0067.571] lstrlenW (lpString=".rar") returned 4 [0067.571] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0067.571] lstrlenW (lpString=".bz2") returned 4 [0067.571] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0067.571] lstrlenW (lpString=".7z") returned 3 [0067.571] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0067.571] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg") returned 70 [0067.571] lstrlenW (lpString=".dbf") returned 4 [0067.571] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0067.571] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg") returned 70 [0067.571] lstrlenW (lpString=".1cd") returned 4 [0067.571] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0067.571] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg") returned 70 [0067.571] lstrlenW (lpString=".jpg") returned 4 [0067.571] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0067.571] lstrcmpiW (lpString1=".htm", lpString2=".bmd") returned 1 [0067.571] lstrlenW (lpString="Orange Circles.htm") returned 18 [0067.572] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orange circles.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0067.572] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=237) returned 1 [0067.572] CloseHandle (hObject=0x1f8) returned 1 [0067.572] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orange circles.htm")) returned 0x20 [0067.572] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orange circles.htm.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0067.572] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orange circles.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0067.572] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm") returned 76 [0067.572] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm") returned 76 [0067.573] lstrlenW (lpString=".doc") returned 4 [0067.573] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0067.573] lstrlenW (lpString=".docx") returned 5 [0067.573] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0067.573] lstrlenW (lpString=".pdf") returned 4 [0067.573] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0067.573] lstrlenW (lpString=".xls") returned 4 [0067.573] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0067.573] lstrlenW (lpString=".xlsx") returned 5 [0067.573] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0067.574] lstrlenW (lpString=".ppt") returned 4 [0067.574] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0067.574] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm") returned 76 [0067.574] lstrlenW (lpString=".zip") returned 4 [0067.574] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0067.574] lstrlenW (lpString=".rar") returned 4 [0067.574] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0067.574] lstrlenW (lpString=".bz2") returned 4 [0067.574] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0067.574] lstrlenW (lpString=".7z") returned 3 [0067.574] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0067.574] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm") returned 76 [0067.574] lstrlenW (lpString=".dbf") returned 4 [0067.574] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0067.574] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm") returned 76 [0067.574] lstrlenW (lpString=".1cd") returned 4 [0067.574] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0067.574] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm") returned 76 [0067.574] lstrlenW (lpString=".jpg") returned 4 [0067.574] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0067.574] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm") returned 76 [0067.574] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm") returned 76 [0067.575] lstrlenW (lpString=".doc") returned 4 [0067.575] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0067.575] lstrlenW (lpString=".docx") returned 5 [0067.575] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0067.575] lstrlenW (lpString=".pdf") returned 4 [0067.575] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0067.575] lstrlenW (lpString=".xls") returned 4 [0067.575] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0067.575] lstrlenW (lpString=".xlsx") returned 5 [0067.575] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0067.575] lstrlenW (lpString=".ppt") returned 4 [0067.575] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0067.575] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm") returned 76 [0067.575] lstrlenW (lpString=".zip") returned 4 [0067.575] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0067.575] lstrlenW (lpString=".rar") returned 4 [0067.575] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0067.575] lstrlenW (lpString=".bz2") returned 4 [0067.575] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0067.575] lstrlenW (lpString=".7z") returned 3 [0067.575] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0067.575] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm") returned 76 [0067.575] lstrlenW (lpString=".dbf") returned 4 [0067.575] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0067.575] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm") returned 76 [0067.575] lstrlenW (lpString=".1cd") returned 4 [0067.575] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0067.575] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm") returned 76 [0067.576] lstrlenW (lpString=".jpg") returned 4 [0067.576] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0067.576] lstrcmpiW (lpString1=".jpg", lpString2=".bmd") returned 1 [0067.576] lstrlenW (lpString="OrangeCircles.jpg") returned 17 [0067.576] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orangecircles.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0067.576] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=6381) returned 1 [0067.576] CloseHandle (hObject=0x1f8) returned 1 [0067.576] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orangecircles.jpg")) returned 0x20 [0067.576] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orangecircles.jpg.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0067.577] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orangecircles.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0067.577] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg") returned 75 [0067.577] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg") returned 75 [0067.577] lstrlenW (lpString=".doc") returned 4 [0067.577] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0067.577] lstrlenW (lpString=".docx") returned 5 [0067.577] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0067.577] lstrlenW (lpString=".pdf") returned 4 [0067.577] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0067.577] lstrlenW (lpString=".xls") returned 4 [0067.577] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0067.577] lstrlenW (lpString=".xlsx") returned 5 [0067.577] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0067.577] lstrlenW (lpString=".ppt") returned 4 [0067.577] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0067.577] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg") returned 75 [0067.577] lstrlenW (lpString=".zip") returned 4 [0067.577] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0067.577] lstrlenW (lpString=".rar") returned 4 [0067.577] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0067.577] lstrlenW (lpString=".bz2") returned 4 [0067.577] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0067.577] lstrlenW (lpString=".7z") returned 3 [0067.577] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0067.577] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg") returned 75 [0067.577] lstrlenW (lpString=".dbf") returned 4 [0067.577] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0067.909] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=25234) returned 1 [0067.909] CloseHandle (hObject=0x1f8) returned 1 [0067.909] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png")) returned 0x20 [0067.909] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0067.909] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0067.910] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.910] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.910] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0067.910] GetLastError () returned 0x0 [0067.910] ReadFile (in: hFile=0x1f8, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x6292, lpOverlapped=0x0) returned 1 [0067.963] WriteFile (in: hFile=0x188, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0x62a0, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0x62a0, lpOverlapped=0x0) returned 1 [0067.965] ReadFile (in: hFile=0x1f8, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x0, lpOverlapped=0x0) returned 1 [0067.965] WriteFile (in: hFile=0x188, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0xec, lpOverlapped=0x0) returned 1 [0067.965] SetEndOfFile (hFile=0x188) returned 1 [0067.966] CloseHandle (hObject=0x188) returned 1 [0067.966] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.966] SetEndOfFile (hFile=0x1f8) returned 1 [0067.967] CloseHandle (hObject=0x1f8) returned 1 [0067.967] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0067.968] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png")) returned 1 [0067.968] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0067.968] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0067.968] lstrlenW (lpString=".doc") returned 4 [0067.968] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0067.968] lstrlenW (lpString=".docx") returned 5 [0067.968] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0067.968] lstrlenW (lpString=".pdf") returned 4 [0067.968] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0067.968] lstrlenW (lpString=".xls") returned 4 [0067.968] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0067.968] lstrlenW (lpString=".xlsx") returned 5 [0067.968] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0067.968] lstrlenW (lpString=".ppt") returned 4 [0067.968] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0067.968] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0067.968] lstrlenW (lpString=".zip") returned 4 [0067.968] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0067.968] lstrlenW (lpString=".rar") returned 4 [0067.968] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0067.968] lstrlenW (lpString=".bz2") returned 4 [0067.969] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0067.969] lstrlenW (lpString=".7z") returned 3 [0067.969] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0067.969] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0067.969] lstrlenW (lpString=".dbf") returned 4 [0067.969] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0067.969] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0067.969] lstrlenW (lpString=".1cd") returned 4 [0067.969] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0067.969] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0067.969] lstrlenW (lpString=".jpg") returned 4 [0067.969] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0067.969] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0067.969] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0067.969] lstrlenW (lpString=".doc") returned 4 [0067.969] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0067.969] lstrlenW (lpString=".docx") returned 5 [0067.969] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0067.969] lstrlenW (lpString=".pdf") returned 4 [0067.969] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0067.969] lstrlenW (lpString=".xls") returned 4 [0067.969] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0067.969] lstrlenW (lpString=".xlsx") returned 5 [0067.969] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0067.970] lstrlenW (lpString=".ppt") returned 4 [0067.970] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0067.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0067.970] lstrlenW (lpString=".zip") returned 4 [0067.970] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0067.970] lstrlenW (lpString=".rar") returned 4 [0067.970] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0067.970] lstrlenW (lpString=".bz2") returned 4 [0067.970] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0067.970] lstrlenW (lpString=".7z") returned 3 [0067.970] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0067.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0067.970] lstrlenW (lpString=".dbf") returned 4 [0067.970] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0067.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0067.970] lstrlenW (lpString=".1cd") returned 4 [0067.970] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0067.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0067.970] lstrlenW (lpString=".jpg") returned 4 [0067.970] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0067.971] lstrcmpiW (lpString1=".GIF", lpString2=".bmd") returned 1 [0067.971] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0067.971] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0067.979] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=2985) returned 1 [0067.979] CloseHandle (hObject=0x1f8) returned 1 [0067.980] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\preview.gif")) returned 0x20 [0067.980] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\preview.gif.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0067.980] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0067.980] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.980] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.980] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\preview.gif.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0067.988] GetLastError () returned 0x0 [0067.988] ReadFile (in: hFile=0x1f8, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0xba9, lpOverlapped=0x0) returned 1 [0067.991] WriteFile (in: hFile=0x188, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0xbb0, lpOverlapped=0x0) returned 1 [0067.992] ReadFile (in: hFile=0x1f8, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x0, lpOverlapped=0x0) returned 1 [0067.992] WriteFile (in: hFile=0x188, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0xea, lpOverlapped=0x0) returned 1 [0067.992] SetEndOfFile (hFile=0x188) returned 1 [0067.992] CloseHandle (hObject=0x188) returned 1 [0067.993] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.993] SetEndOfFile (hFile=0x1f8) returned 1 [0067.994] CloseHandle (hObject=0x1f8) returned 1 [0067.994] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0067.994] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\preview.gif")) returned 1 [0067.995] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0067.995] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0067.995] lstrlenW (lpString=".doc") returned 4 [0067.995] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0067.995] lstrlenW (lpString=".docx") returned 5 [0067.995] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0067.995] lstrlenW (lpString=".pdf") returned 4 [0067.995] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0067.995] lstrlenW (lpString=".xls") returned 4 [0067.995] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0067.995] lstrlenW (lpString=".xlsx") returned 5 [0067.995] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0067.995] lstrlenW (lpString=".ppt") returned 4 [0067.995] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0067.995] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0067.995] lstrlenW (lpString=".zip") returned 4 [0067.995] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0067.995] lstrlenW (lpString=".rar") returned 4 [0067.995] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0067.995] lstrlenW (lpString=".bz2") returned 4 [0067.995] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0067.995] lstrlenW (lpString=".7z") returned 3 [0067.995] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0067.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0067.996] lstrlenW (lpString=".dbf") returned 4 [0067.996] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0067.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0067.996] lstrlenW (lpString=".1cd") returned 4 [0067.996] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0067.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0067.996] lstrlenW (lpString=".jpg") returned 4 [0067.996] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0067.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0067.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0067.996] lstrlenW (lpString=".doc") returned 4 [0067.996] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0067.996] lstrlenW (lpString=".docx") returned 5 [0067.996] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0067.996] lstrlenW (lpString=".pdf") returned 4 [0067.996] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0067.996] lstrlenW (lpString=".xls") returned 4 [0067.996] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0067.996] lstrlenW (lpString=".xlsx") returned 5 [0067.996] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0067.996] lstrlenW (lpString=".ppt") returned 4 [0067.996] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0067.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0067.997] lstrlenW (lpString=".zip") returned 4 [0067.997] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0067.997] lstrlenW (lpString=".rar") returned 4 [0067.997] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0067.997] lstrlenW (lpString=".bz2") returned 4 [0067.997] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0067.997] lstrlenW (lpString=".7z") returned 3 [0067.997] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0067.997] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0067.997] lstrlenW (lpString=".dbf") returned 4 [0067.997] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0067.997] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0067.997] lstrlenW (lpString=".1cd") returned 4 [0067.997] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0067.997] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0067.997] lstrlenW (lpString=".jpg") returned 4 [0067.997] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0067.997] lstrcmpiW (lpString1=".PNG", lpString2=".bmd") returned 1 [0067.998] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0067.998] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0067.999] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=19780) returned 1 [0067.999] CloseHandle (hObject=0x1f8) returned 1 [0068.000] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png")) returned 0x20 [0068.000] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0068.000] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0068.000] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0068.000] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0068.000] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0068.004] GetLastError () returned 0x0 [0068.004] ReadFile (in: hFile=0x1f8, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x4d44, lpOverlapped=0x0) returned 1 [0069.072] WriteFile (in: hFile=0x188, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0x4d50, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0x4d50, lpOverlapped=0x0) returned 1 [0069.074] ReadFile (in: hFile=0x1f8, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x0, lpOverlapped=0x0) returned 1 [0069.074] WriteFile (in: hFile=0x188, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0xec, lpOverlapped=0x0) returned 1 [0069.074] SetEndOfFile (hFile=0x188) returned 1 [0069.074] CloseHandle (hObject=0x188) returned 1 [0069.075] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0069.075] SetEndOfFile (hFile=0x1f8) returned 1 [0069.076] CloseHandle (hObject=0x1f8) returned 1 [0069.076] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0069.076] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png")) returned 1 [0069.077] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0069.077] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0069.077] lstrlenW (lpString=".doc") returned 4 [0069.077] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0069.077] lstrlenW (lpString=".docx") returned 5 [0069.077] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0069.077] lstrlenW (lpString=".pdf") returned 4 [0069.077] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0069.077] lstrlenW (lpString=".xls") returned 4 [0069.077] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0069.077] lstrlenW (lpString=".xlsx") returned 5 [0069.077] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0069.077] lstrlenW (lpString=".ppt") returned 4 [0069.077] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0069.077] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0069.077] lstrlenW (lpString=".zip") returned 4 [0069.077] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0069.077] lstrlenW (lpString=".rar") returned 4 [0069.078] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0069.078] lstrlenW (lpString=".bz2") returned 4 [0069.078] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0069.078] lstrlenW (lpString=".7z") returned 3 [0069.078] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0069.078] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0069.078] lstrlenW (lpString=".dbf") returned 4 [0069.078] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0069.078] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0069.078] lstrlenW (lpString=".1cd") returned 4 [0069.078] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0069.078] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0069.078] lstrlenW (lpString=".jpg") returned 4 [0069.078] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0069.078] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0069.078] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0069.078] lstrlenW (lpString=".doc") returned 4 [0069.078] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0069.078] lstrlenW (lpString=".docx") returned 5 [0069.078] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0069.078] lstrlenW (lpString=".pdf") returned 4 [0069.079] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0069.079] lstrlenW (lpString=".xls") returned 4 [0069.079] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0069.079] lstrlenW (lpString=".xlsx") returned 5 [0069.079] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0069.079] lstrlenW (lpString=".ppt") returned 4 [0069.079] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0069.079] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0069.079] lstrlenW (lpString=".zip") returned 4 [0069.079] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0069.079] lstrlenW (lpString=".rar") returned 4 [0069.079] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0069.079] lstrlenW (lpString=".bz2") returned 4 [0069.079] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0069.079] lstrlenW (lpString=".7z") returned 3 [0069.079] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0069.079] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0069.079] lstrlenW (lpString=".dbf") returned 4 [0069.079] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0069.079] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0069.079] lstrlenW (lpString=".1cd") returned 4 [0069.079] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0069.079] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0069.079] lstrlenW (lpString=".jpg") returned 4 [0069.080] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0069.080] lstrcmpiW (lpString1=".GIF", lpString2=".bmd") returned 1 [0069.080] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0069.080] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0069.925] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=2181) returned 1 [0069.925] CloseHandle (hObject=0x1d4) returned 1 [0069.925] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif")) returned 0x20 [0069.925] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0069.926] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0069.926] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0069.926] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0069.926] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0070.196] GetLastError () returned 0x0 [0070.196] ReadFile (in: hFile=0x1d4, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x885, lpOverlapped=0x0) returned 1 [0070.198] WriteFile (in: hFile=0x1f8, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0x890, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0x890, lpOverlapped=0x0) returned 1 [0070.200] ReadFile (in: hFile=0x1d4, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x0, lpOverlapped=0x0) returned 1 [0070.200] WriteFile (in: hFile=0x1f8, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0xea, lpOverlapped=0x0) returned 1 [0070.200] SetEndOfFile (hFile=0x1f8) returned 1 [0070.200] CloseHandle (hObject=0x1f8) returned 1 [0070.201] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0070.201] SetEndOfFile (hFile=0x1d4) returned 1 [0070.202] CloseHandle (hObject=0x1d4) returned 1 [0070.202] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0070.202] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif")) returned 1 [0070.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0070.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0070.203] lstrlenW (lpString=".doc") returned 4 [0070.203] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0070.203] lstrlenW (lpString=".docx") returned 5 [0070.203] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0070.203] lstrlenW (lpString=".pdf") returned 4 [0070.203] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0070.203] lstrlenW (lpString=".xls") returned 4 [0070.203] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0070.203] lstrlenW (lpString=".xlsx") returned 5 [0070.203] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0070.203] lstrlenW (lpString=".ppt") returned 4 [0070.203] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0070.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0070.203] lstrlenW (lpString=".zip") returned 4 [0070.203] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0070.203] lstrlenW (lpString=".rar") returned 4 [0070.203] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0070.203] lstrlenW (lpString=".bz2") returned 4 [0070.203] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0070.203] lstrlenW (lpString=".7z") returned 3 [0070.203] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0070.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0070.203] lstrlenW (lpString=".dbf") returned 4 [0070.204] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0070.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0070.204] lstrlenW (lpString=".1cd") returned 4 [0070.204] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0070.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0070.204] lstrlenW (lpString=".jpg") returned 4 [0070.204] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0070.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0070.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0070.204] lstrlenW (lpString=".doc") returned 4 [0070.204] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0070.204] lstrlenW (lpString=".docx") returned 5 [0070.204] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0070.204] lstrlenW (lpString=".pdf") returned 4 [0070.204] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0070.204] lstrlenW (lpString=".xls") returned 4 [0070.204] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0070.204] lstrlenW (lpString=".xlsx") returned 5 [0070.204] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0070.204] lstrlenW (lpString=".ppt") returned 4 [0070.204] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0070.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0070.204] lstrlenW (lpString=".zip") returned 4 [0070.204] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0070.205] lstrlenW (lpString=".rar") returned 4 [0070.205] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0070.205] lstrlenW (lpString=".bz2") returned 4 [0070.205] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0070.205] lstrlenW (lpString=".7z") returned 3 [0070.205] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0070.205] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0070.205] lstrlenW (lpString=".dbf") returned 4 [0070.205] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0070.205] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0070.205] lstrlenW (lpString=".1cd") returned 4 [0070.205] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0070.205] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0070.205] lstrlenW (lpString=".jpg") returned 4 [0070.205] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0070.205] lstrcmpiW (lpString1=".GIF", lpString2=".bmd") returned 1 [0070.205] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0070.205] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0070.206] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=3479) returned 1 [0070.206] CloseHandle (hObject=0x1d4) returned 1 [0070.206] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif")) returned 0x20 [0070.206] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0070.206] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0070.207] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0070.207] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0070.207] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0070.406] GetLastError () returned 0x0 [0070.406] ReadFile (in: hFile=0x1d4, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0xd97, lpOverlapped=0x0) returned 1 [0070.513] WriteFile (in: hFile=0x1f8, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0xda0, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0xda0, lpOverlapped=0x0) returned 1 [0070.514] ReadFile (in: hFile=0x1d4, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x0, lpOverlapped=0x0) returned 1 [0070.515] WriteFile (in: hFile=0x1f8, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0xea, lpOverlapped=0x0) returned 1 [0070.515] SetEndOfFile (hFile=0x1f8) returned 1 [0070.515] CloseHandle (hObject=0x1f8) returned 1 [0070.515] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0070.515] SetEndOfFile (hFile=0x1d4) returned 1 [0070.516] CloseHandle (hObject=0x1d4) returned 1 [0070.516] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0070.517] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif")) returned 1 [0070.517] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0070.517] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0070.517] lstrlenW (lpString=".doc") returned 4 [0070.517] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0070.517] lstrlenW (lpString=".docx") returned 5 [0070.517] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0070.517] lstrlenW (lpString=".pdf") returned 4 [0070.517] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0070.517] lstrlenW (lpString=".xls") returned 4 [0070.517] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0070.517] lstrlenW (lpString=".xlsx") returned 5 [0070.517] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0070.517] lstrlenW (lpString=".ppt") returned 4 [0070.518] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0070.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0070.518] lstrlenW (lpString=".zip") returned 4 [0070.518] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0070.518] lstrlenW (lpString=".rar") returned 4 [0070.518] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0070.518] lstrlenW (lpString=".bz2") returned 4 [0070.518] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0070.518] lstrlenW (lpString=".7z") returned 3 [0070.518] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0070.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0070.518] lstrlenW (lpString=".dbf") returned 4 [0070.518] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0070.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0070.518] lstrlenW (lpString=".1cd") returned 4 [0070.518] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0070.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0070.518] lstrlenW (lpString=".jpg") returned 4 [0070.518] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0070.519] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0070.519] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0070.519] lstrlenW (lpString=".doc") returned 4 [0070.519] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0070.519] lstrlenW (lpString=".docx") returned 5 [0070.519] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0070.519] lstrlenW (lpString=".pdf") returned 4 [0070.519] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0070.519] lstrlenW (lpString=".xls") returned 4 [0070.519] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0070.519] lstrlenW (lpString=".xlsx") returned 5 [0070.519] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0070.519] lstrlenW (lpString=".ppt") returned 4 [0070.519] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0070.519] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0070.519] lstrlenW (lpString=".zip") returned 4 [0070.519] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0070.519] lstrlenW (lpString=".rar") returned 4 [0070.519] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0070.519] lstrlenW (lpString=".bz2") returned 4 [0070.519] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0070.519] lstrlenW (lpString=".7z") returned 3 [0070.519] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0070.519] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0070.519] lstrlenW (lpString=".dbf") returned 4 [0070.520] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0070.520] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0070.520] lstrlenW (lpString=".1cd") returned 4 [0070.520] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0070.520] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0070.520] lstrlenW (lpString=".jpg") returned 4 [0070.520] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0070.520] lstrcmpiW (lpString1=".PNG", lpString2=".bmd") returned 1 [0070.520] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0070.520] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0070.914] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x2b2ff1c | out: lpFileSize=0x2b2ff1c*=32607) returned 1 [0070.914] CloseHandle (hObject=0x1ac) returned 1 [0070.914] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png")) returned 0x20 [0070.914] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0070.915] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0070.915] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0070.915] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0070.915] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0070.915] GetLastError () returned 0x0 [0070.915] ReadFile (in: hFile=0x1ac, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x7f5f, lpOverlapped=0x0) returned 1 [0070.932] WriteFile (in: hFile=0x19c, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0x7f60, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0x7f60, lpOverlapped=0x0) returned 1 [0070.935] ReadFile (in: hFile=0x1ac, lpBuffer=0x3170020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b2fed4, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesRead=0x2b2fed4*=0x0, lpOverlapped=0x0) returned 1 [0070.936] WriteFile (in: hFile=0x19c, lpBuffer=0x3170020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3170020*, lpNumberOfBytesWritten=0x2b2fc9c*=0xec, lpOverlapped=0x0) returned 1 [0070.936] SetEndOfFile (hFile=0x19c) returned 1 [0070.937] CloseHandle (hObject=0x19c) returned 1 [0070.937] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b2fec8 | out: lpNewFilePointer=0x0) returned 1 [0070.937] SetEndOfFile (hFile=0x1ac) returned 1 [0070.939] CloseHandle (hObject=0x1ac) returned 1 [0070.939] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0070.940] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png")) returned 1 [0070.940] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0070.940] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0070.940] lstrlenW (lpString=".doc") returned 4 [0070.940] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0070.941] lstrlenW (lpString=".docx") returned 5 [0070.941] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0070.941] lstrlenW (lpString=".pdf") returned 4 [0070.941] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0070.941] lstrlenW (lpString=".xls") returned 4 [0070.941] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0070.941] lstrlenW (lpString=".xlsx") returned 5 [0070.941] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0070.941] lstrlenW (lpString=".ppt") returned 4 [0070.941] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0070.941] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0070.941] lstrlenW (lpString=".zip") returned 4 [0070.941] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0070.941] lstrlenW (lpString=".rar") returned 4 [0070.941] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0070.941] lstrlenW (lpString=".bz2") returned 4 [0070.941] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0070.941] lstrlenW (lpString=".7z") returned 3 [0070.941] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0070.941] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0070.941] lstrlenW (lpString=".dbf") returned 4 [0070.941] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0070.941] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0070.941] lstrlenW (lpString=".1cd") returned 4 [0070.942] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0070.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0070.942] lstrlenW (lpString=".jpg") returned 4 [0070.942] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0070.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0070.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0070.942] lstrlenW (lpString=".doc") returned 4 [0070.942] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0070.942] lstrlenW (lpString=".docx") returned 5 [0070.942] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0070.942] lstrlenW (lpString=".pdf") returned 4 [0070.942] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0070.942] lstrlenW (lpString=".xls") returned 4 [0070.942] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0070.942] lstrlenW (lpString=".xlsx") returned 5 [0070.942] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0070.942] lstrlenW (lpString=".ppt") returned 4 [0070.942] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0070.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0070.942] lstrlenW (lpString=".zip") returned 4 [0070.942] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0070.942] lstrlenW (lpString=".rar") returned 4 [0070.942] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0070.943] lstrlenW (lpString=".bz2") returned 4 [0070.943] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0070.943] lstrlenW (lpString=".7z") returned 3 [0070.943] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0070.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0070.943] lstrlenW (lpString=".dbf") returned 4 [0070.943] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0070.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0070.944] lstrlenW (lpString=".1cd") returned 4 [0070.944] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0070.944] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0070.944] lstrlenW (lpString=".jpg") returned 4 [0070.944] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0070.944] lstrcmpiW (lpString1=".PNG", lpString2=".bmd") returned 1 [0070.944] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0070.944] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 12 os_tid = 0x418 [0047.348] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10000) returned 0x6a0cc8 [0047.348] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10000) returned 0x6b0cd0 [0047.349] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x646910 [0047.349] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x6) returned 0x63ce28 [0047.349] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x6468e0 [0047.349] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x100000) returned 0x33c0020 [0047.349] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x646970 [0047.349] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x646970, Size=0x20) returned 0x63c708 [0047.349] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x646970 [0047.349] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x646970, Size=0x20) returned 0x63c690 [0047.349] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0047.349] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0047.349] Wow64DisableWow64FsRedirection (in: OldValue=0x2c6ff58 | out: OldValue=0x2c6ff58*=0x0) returned 1 [0047.349] lstrlenW (lpString="kernel32.dll") returned 12 [0047.349] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63c708 | out: hHeap=0x5f0000) returned 1 [0047.349] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0047.349] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63c690 | out: hHeap=0x5f0000) returned 1 [0047.350] Sleep (dwMilliseconds=0x64) [0047.474] lstrcmpiW (lpString1=".ini", lpString2=".bmd") returned 1 [0047.474] lstrlenW (lpString="desktop.ini") returned 11 [0047.474] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0047.474] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=129) returned 1 [0047.474] CloseHandle (hObject=0x160) returned 1 [0047.474] GetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini")) returned 0x26 [0047.475] GetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0047.475] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0047.475] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.475] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.475] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0047.476] GetLastError () returned 0x0 [0047.476] ReadFile (in: hFile=0x160, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x81, lpOverlapped=0x0) returned 1 [0047.485] WriteFile (in: hFile=0x164, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x90, lpOverlapped=0x0) returned 1 [0047.486] ReadFile (in: hFile=0x160, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.486] WriteFile (in: hFile=0x164, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.486] SetEndOfFile (hFile=0x164) returned 1 [0047.486] CloseHandle (hObject=0x164) returned 1 [0047.488] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.488] SetEndOfFile (hFile=0x160) returned 1 [0047.489] CloseHandle (hObject=0x160) returned 1 [0047.489] SetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x26) returned 1 [0047.489] DeleteFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini")) returned 1 [0047.489] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0047.489] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0047.490] lstrlenW (lpString=".doc") returned 4 [0047.490] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0047.490] lstrlenW (lpString=".docx") returned 5 [0047.490] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0047.490] lstrlenW (lpString=".pdf") returned 4 [0047.490] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0047.490] lstrlenW (lpString=".xls") returned 4 [0047.490] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0047.490] lstrlenW (lpString=".xlsx") returned 5 [0047.490] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0047.490] lstrlenW (lpString=".ppt") returned 4 [0047.490] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0047.490] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0047.490] lstrlenW (lpString=".zip") returned 4 [0047.490] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0047.490] lstrlenW (lpString=".rar") returned 4 [0047.490] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0047.490] lstrlenW (lpString=".bz2") returned 4 [0047.490] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0047.490] lstrlenW (lpString=".7z") returned 3 [0047.490] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0047.490] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0047.490] lstrlenW (lpString=".dbf") returned 4 [0047.490] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0047.490] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0047.490] lstrlenW (lpString=".1cd") returned 4 [0047.490] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0047.490] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0047.490] lstrlenW (lpString=".jpg") returned 4 [0047.490] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0047.490] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0047.490] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0047.490] lstrlenW (lpString=".doc") returned 4 [0047.491] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0047.491] lstrlenW (lpString=".docx") returned 5 [0047.491] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0047.491] lstrlenW (lpString=".pdf") returned 4 [0047.491] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0047.491] lstrlenW (lpString=".xls") returned 4 [0047.491] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0047.491] lstrlenW (lpString=".xlsx") returned 5 [0047.491] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0047.491] lstrlenW (lpString=".ppt") returned 4 [0047.491] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0047.491] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0047.491] lstrlenW (lpString=".zip") returned 4 [0047.491] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0047.491] lstrlenW (lpString=".rar") returned 4 [0047.491] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0047.491] lstrlenW (lpString=".bz2") returned 4 [0047.491] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0047.491] lstrlenW (lpString=".7z") returned 3 [0047.491] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0047.491] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0047.491] lstrlenW (lpString=".dbf") returned 4 [0047.491] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0047.491] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0047.491] lstrlenW (lpString=".1cd") returned 4 [0047.491] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0047.491] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0047.491] lstrlenW (lpString=".jpg") returned 4 [0047.491] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0047.491] lstrcmpiW (lpString1=".LOG", lpString2=".bmd") returned 1 [0047.491] lstrlenW (lpString="BCD.LOG") returned 7 [0047.491] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG" (normalized: "c:\\boot\\bcd.log"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0047.492] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0047.492] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0047.492] lstrlenW (lpString=".doc") returned 4 [0047.492] lstrcmpiW (lpString1=".doc", lpString2=".LOG") returned -1 [0047.492] lstrlenW (lpString=".docx") returned 5 [0047.492] lstrcmpiW (lpString1=".docx", lpString2="D.LOG") returned -1 [0047.492] lstrlenW (lpString=".pdf") returned 4 [0047.492] lstrcmpiW (lpString1=".pdf", lpString2=".LOG") returned 1 [0047.492] lstrlenW (lpString=".xls") returned 4 [0047.492] lstrcmpiW (lpString1=".xls", lpString2=".LOG") returned 1 [0047.492] lstrlenW (lpString=".xlsx") returned 5 [0047.492] lstrcmpiW (lpString1=".xlsx", lpString2="D.LOG") returned -1 [0047.492] lstrlenW (lpString=".ppt") returned 4 [0047.492] lstrcmpiW (lpString1=".ppt", lpString2=".LOG") returned 1 [0047.492] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0047.492] lstrlenW (lpString=".zip") returned 4 [0047.492] lstrcmpiW (lpString1=".zip", lpString2=".LOG") returned 1 [0047.492] lstrlenW (lpString=".rar") returned 4 [0047.492] lstrcmpiW (lpString1=".rar", lpString2=".LOG") returned 1 [0047.492] lstrlenW (lpString=".bz2") returned 4 [0047.492] lstrcmpiW (lpString1=".bz2", lpString2=".LOG") returned -1 [0047.492] lstrlenW (lpString=".7z") returned 3 [0047.492] lstrcmpiW (lpString1=".7z", lpString2="LOG") returned -1 [0047.492] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0047.492] lstrlenW (lpString=".dbf") returned 4 [0047.492] lstrcmpiW (lpString1=".dbf", lpString2=".LOG") returned -1 [0047.492] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0047.492] lstrlenW (lpString=".1cd") returned 4 [0047.492] lstrcmpiW (lpString1=".1cd", lpString2=".LOG") returned -1 [0047.492] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0047.492] lstrlenW (lpString=".jpg") returned 4 [0047.492] lstrcmpiW (lpString1=".jpg", lpString2=".LOG") returned -1 [0047.493] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0047.493] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0047.493] lstrlenW (lpString=".doc") returned 4 [0047.493] lstrcmpiW (lpString1=".doc", lpString2=".LOG") returned -1 [0047.493] lstrlenW (lpString=".docx") returned 5 [0047.493] lstrcmpiW (lpString1=".docx", lpString2="D.LOG") returned -1 [0047.493] lstrlenW (lpString=".pdf") returned 4 [0047.493] lstrcmpiW (lpString1=".pdf", lpString2=".LOG") returned 1 [0047.493] lstrlenW (lpString=".xls") returned 4 [0047.493] lstrcmpiW (lpString1=".xls", lpString2=".LOG") returned 1 [0047.493] lstrlenW (lpString=".xlsx") returned 5 [0047.493] lstrcmpiW (lpString1=".xlsx", lpString2="D.LOG") returned -1 [0047.493] lstrlenW (lpString=".ppt") returned 4 [0047.493] lstrcmpiW (lpString1=".ppt", lpString2=".LOG") returned 1 [0047.493] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0047.493] lstrlenW (lpString=".zip") returned 4 [0047.493] lstrcmpiW (lpString1=".zip", lpString2=".LOG") returned 1 [0047.493] lstrlenW (lpString=".rar") returned 4 [0047.493] lstrcmpiW (lpString1=".rar", lpString2=".LOG") returned 1 [0047.493] lstrlenW (lpString=".bz2") returned 4 [0047.493] lstrcmpiW (lpString1=".bz2", lpString2=".LOG") returned -1 [0047.493] lstrlenW (lpString=".7z") returned 3 [0047.493] lstrcmpiW (lpString1=".7z", lpString2="LOG") returned -1 [0047.493] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0047.493] lstrlenW (lpString=".dbf") returned 4 [0047.493] lstrcmpiW (lpString1=".dbf", lpString2=".LOG") returned -1 [0047.493] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0047.493] lstrlenW (lpString=".1cd") returned 4 [0047.493] lstrcmpiW (lpString1=".1cd", lpString2=".LOG") returned -1 [0047.493] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0047.493] lstrlenW (lpString=".jpg") returned 4 [0047.493] lstrcmpiW (lpString1=".jpg", lpString2=".LOG") returned -1 [0047.494] lstrcmpiW (lpString1=".DAT", lpString2=".bmd") returned 1 [0047.494] lstrlenW (lpString="BOOTSTAT.DAT") returned 12 [0047.494] CreateFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0047.499] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=65536) returned 1 [0047.499] CloseHandle (hObject=0x160) returned 1 [0047.499] GetFileAttributesW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat")) returned 0x26 [0047.499] GetFileAttributesW (lpFileName="C:\\Boot\\BOOTSTAT.DAT.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\boot\\bootstat.dat.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0047.499] CreateFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0047.500] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.500] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.500] CreateFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\boot\\bootstat.dat.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0047.500] GetLastError () returned 0x0 [0047.500] ReadFile (in: hFile=0x160, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x10000, lpOverlapped=0x0) returned 1 [0047.503] WriteFile (in: hFile=0x164, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0x10010, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x10010, lpOverlapped=0x0) returned 1 [0047.505] ReadFile (in: hFile=0x160, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.505] WriteFile (in: hFile=0x164, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.505] SetEndOfFile (hFile=0x164) returned 1 [0047.506] CloseHandle (hObject=0x164) returned 1 [0047.526] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.526] SetEndOfFile (hFile=0x160) returned 1 [0047.528] CloseHandle (hObject=0x160) returned 1 [0047.529] SetFileAttributesW (lpFileName="C:\\Boot\\BOOTSTAT.DAT.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x26) returned 1 [0047.529] DeleteFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat")) returned 1 [0047.529] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0047.529] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0047.529] lstrlenW (lpString=".doc") returned 4 [0047.529] lstrcmpiW (lpString1=".doc", lpString2=".DAT") returned 1 [0047.530] lstrlenW (lpString=".docx") returned 5 [0047.530] lstrcmpiW (lpString1=".docx", lpString2="T.DAT") returned -1 [0047.530] lstrlenW (lpString=".pdf") returned 4 [0047.530] lstrcmpiW (lpString1=".pdf", lpString2=".DAT") returned 1 [0047.530] lstrlenW (lpString=".xls") returned 4 [0047.530] lstrcmpiW (lpString1=".xls", lpString2=".DAT") returned 1 [0047.530] lstrlenW (lpString=".xlsx") returned 5 [0047.530] lstrcmpiW (lpString1=".xlsx", lpString2="T.DAT") returned -1 [0047.530] lstrlenW (lpString=".ppt") returned 4 [0047.530] lstrcmpiW (lpString1=".ppt", lpString2=".DAT") returned 1 [0047.530] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0047.530] lstrlenW (lpString=".zip") returned 4 [0047.530] lstrcmpiW (lpString1=".zip", lpString2=".DAT") returned 1 [0047.530] lstrlenW (lpString=".rar") returned 4 [0047.530] lstrcmpiW (lpString1=".rar", lpString2=".DAT") returned 1 [0047.530] lstrlenW (lpString=".bz2") returned 4 [0047.530] lstrcmpiW (lpString1=".bz2", lpString2=".DAT") returned -1 [0047.530] lstrlenW (lpString=".7z") returned 3 [0047.530] lstrcmpiW (lpString1=".7z", lpString2="DAT") returned -1 [0047.530] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0047.530] lstrlenW (lpString=".dbf") returned 4 [0047.530] lstrcmpiW (lpString1=".dbf", lpString2=".DAT") returned 1 [0047.530] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0047.530] lstrlenW (lpString=".1cd") returned 4 [0047.530] lstrcmpiW (lpString1=".1cd", lpString2=".DAT") returned -1 [0047.530] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0047.530] lstrlenW (lpString=".jpg") returned 4 [0047.530] lstrcmpiW (lpString1=".jpg", lpString2=".DAT") returned 1 [0047.531] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0047.531] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0047.531] lstrlenW (lpString=".doc") returned 4 [0047.531] lstrcmpiW (lpString1=".doc", lpString2=".DAT") returned 1 [0047.531] lstrlenW (lpString=".docx") returned 5 [0047.531] lstrcmpiW (lpString1=".docx", lpString2="T.DAT") returned -1 [0047.531] lstrlenW (lpString=".pdf") returned 4 [0047.531] lstrcmpiW (lpString1=".pdf", lpString2=".DAT") returned 1 [0047.531] lstrlenW (lpString=".xls") returned 4 [0047.531] lstrcmpiW (lpString1=".xls", lpString2=".DAT") returned 1 [0047.531] lstrlenW (lpString=".xlsx") returned 5 [0047.531] lstrcmpiW (lpString1=".xlsx", lpString2="T.DAT") returned -1 [0047.531] lstrlenW (lpString=".ppt") returned 4 [0047.531] lstrcmpiW (lpString1=".ppt", lpString2=".DAT") returned 1 [0047.531] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0047.531] lstrlenW (lpString=".zip") returned 4 [0047.531] lstrcmpiW (lpString1=".zip", lpString2=".DAT") returned 1 [0047.531] lstrlenW (lpString=".rar") returned 4 [0047.531] lstrcmpiW (lpString1=".rar", lpString2=".DAT") returned 1 [0047.531] lstrlenW (lpString=".bz2") returned 4 [0047.531] lstrcmpiW (lpString1=".bz2", lpString2=".DAT") returned -1 [0047.531] lstrlenW (lpString=".7z") returned 3 [0047.531] lstrcmpiW (lpString1=".7z", lpString2="DAT") returned -1 [0047.531] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0047.531] lstrlenW (lpString=".dbf") returned 4 [0047.531] lstrcmpiW (lpString1=".dbf", lpString2=".DAT") returned 1 [0047.531] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0047.531] lstrlenW (lpString=".1cd") returned 4 [0047.532] lstrcmpiW (lpString1=".1cd", lpString2=".DAT") returned -1 [0047.532] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0047.532] lstrlenW (lpString=".jpg") returned 4 [0047.532] lstrcmpiW (lpString1=".jpg", lpString2=".DAT") returned 1 [0047.532] Sleep (dwMilliseconds=0x64) [0047.761] Sleep (dwMilliseconds=0x64) [0047.876] Sleep (dwMilliseconds=0x64) [0047.980] Sleep (dwMilliseconds=0x64) [0048.090] Sleep (dwMilliseconds=0x64) [0048.436] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0048.436] lstrlenW (lpString="ExcelMUI.xml") returned 12 [0048.436] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0048.438] GetFileSizeEx (in: hFile=0x164, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=1565) returned 1 [0048.438] CloseHandle (hObject=0x164) returned 1 [0048.438] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml")) returned 0x2020 [0048.438] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0048.438] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0048.438] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.438] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.438] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0048.445] GetLastError () returned 0x0 [0048.445] ReadFile (in: hFile=0x164, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x61d, lpOverlapped=0x0) returned 1 [0048.451] WriteFile (in: hFile=0x184, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x620, lpOverlapped=0x0) returned 1 [0048.452] ReadFile (in: hFile=0x164, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.452] WriteFile (in: hFile=0x184, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0048.452] SetEndOfFile (hFile=0x184) returned 1 [0048.452] CloseHandle (hObject=0x184) returned 1 [0048.453] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.454] SetEndOfFile (hFile=0x164) returned 1 [0048.454] CloseHandle (hObject=0x164) returned 1 [0048.455] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0048.455] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml")) returned 1 [0048.455] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0048.455] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0048.455] lstrlenW (lpString=".doc") returned 4 [0048.455] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0048.455] lstrlenW (lpString=".docx") returned 5 [0048.455] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0048.455] lstrlenW (lpString=".pdf") returned 4 [0048.455] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0048.455] lstrlenW (lpString=".xls") returned 4 [0048.455] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0048.455] lstrlenW (lpString=".xlsx") returned 5 [0048.455] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0048.455] lstrlenW (lpString=".ppt") returned 4 [0048.455] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0048.455] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0048.455] lstrlenW (lpString=".zip") returned 4 [0048.456] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0048.456] lstrlenW (lpString=".rar") returned 4 [0048.456] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0048.456] lstrlenW (lpString=".bz2") returned 4 [0048.456] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0048.456] lstrlenW (lpString=".7z") returned 3 [0048.456] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0048.456] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0048.456] lstrlenW (lpString=".dbf") returned 4 [0048.456] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0048.456] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0048.456] lstrlenW (lpString=".1cd") returned 4 [0048.456] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0048.456] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0048.456] lstrlenW (lpString=".jpg") returned 4 [0048.456] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0048.456] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0048.456] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0048.456] lstrlenW (lpString=".doc") returned 4 [0048.456] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0048.456] lstrlenW (lpString=".docx") returned 5 [0048.456] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0048.456] lstrlenW (lpString=".pdf") returned 4 [0048.456] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0048.456] lstrlenW (lpString=".xls") returned 4 [0048.456] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0048.456] lstrlenW (lpString=".xlsx") returned 5 [0048.456] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0048.456] lstrlenW (lpString=".ppt") returned 4 [0048.456] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0048.456] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0048.456] lstrlenW (lpString=".zip") returned 4 [0048.456] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0048.456] lstrlenW (lpString=".rar") returned 4 [0048.457] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0048.457] lstrlenW (lpString=".bz2") returned 4 [0048.457] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0048.457] lstrlenW (lpString=".7z") returned 3 [0048.457] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0048.457] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0048.457] lstrlenW (lpString=".dbf") returned 4 [0048.457] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0048.457] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0048.457] lstrlenW (lpString=".1cd") returned 4 [0048.457] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0048.457] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0048.457] lstrlenW (lpString=".jpg") returned 4 [0048.457] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0048.457] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0048.457] lstrlenW (lpString="Setup.xml") returned 9 [0048.457] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0048.458] GetFileSizeEx (in: hFile=0x164, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=2296) returned 1 [0048.458] CloseHandle (hObject=0x164) returned 1 [0048.458] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0048.458] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0048.458] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0048.458] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.459] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.459] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0048.459] GetLastError () returned 0x0 [0048.459] ReadFile (in: hFile=0x164, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x8f8, lpOverlapped=0x0) returned 1 [0048.461] WriteFile (in: hFile=0x184, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x900, lpOverlapped=0x0) returned 1 [0048.462] ReadFile (in: hFile=0x164, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.462] WriteFile (in: hFile=0x184, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0048.462] SetEndOfFile (hFile=0x184) returned 1 [0048.462] CloseHandle (hObject=0x184) returned 1 [0048.507] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.507] SetEndOfFile (hFile=0x164) returned 1 [0048.508] CloseHandle (hObject=0x164) returned 1 [0048.508] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0048.509] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0048.509] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0048.509] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0048.509] lstrlenW (lpString=".doc") returned 4 [0048.509] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0048.509] lstrlenW (lpString=".docx") returned 5 [0048.509] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0048.509] lstrlenW (lpString=".pdf") returned 4 [0048.509] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0048.509] lstrlenW (lpString=".xls") returned 4 [0048.509] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0048.509] lstrlenW (lpString=".xlsx") returned 5 [0048.509] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0048.509] lstrlenW (lpString=".ppt") returned 4 [0048.509] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0048.509] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0048.509] lstrlenW (lpString=".zip") returned 4 [0048.509] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0048.509] lstrlenW (lpString=".rar") returned 4 [0048.509] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0048.509] lstrlenW (lpString=".bz2") returned 4 [0048.509] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0048.509] lstrlenW (lpString=".7z") returned 3 [0048.509] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0048.510] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0048.510] lstrlenW (lpString=".dbf") returned 4 [0048.510] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0048.510] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0048.510] lstrlenW (lpString=".1cd") returned 4 [0048.510] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0048.510] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0048.510] lstrlenW (lpString=".jpg") returned 4 [0048.510] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0048.510] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0048.510] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0048.510] lstrlenW (lpString=".doc") returned 4 [0048.510] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0048.510] lstrlenW (lpString=".docx") returned 5 [0048.510] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0048.510] lstrlenW (lpString=".pdf") returned 4 [0048.510] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0048.510] lstrlenW (lpString=".xls") returned 4 [0048.510] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0048.510] lstrlenW (lpString=".xlsx") returned 5 [0048.510] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0048.510] lstrlenW (lpString=".ppt") returned 4 [0048.510] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0048.510] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0048.510] lstrlenW (lpString=".zip") returned 4 [0048.510] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0048.510] lstrlenW (lpString=".rar") returned 4 [0048.510] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0048.510] lstrlenW (lpString=".bz2") returned 4 [0048.510] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0048.510] lstrlenW (lpString=".7z") returned 3 [0048.510] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0048.511] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0048.511] lstrlenW (lpString=".dbf") returned 4 [0048.511] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0048.511] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0048.511] lstrlenW (lpString=".1cd") returned 4 [0048.511] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0048.511] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0048.511] lstrlenW (lpString=".jpg") returned 4 [0048.511] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0048.511] Sleep (dwMilliseconds=0x64) [0048.892] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0048.892] lstrlenW (lpString="Setup.xml") returned 9 [0048.893] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0048.967] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=1608) returned 1 [0048.967] CloseHandle (hObject=0x1ac) returned 1 [0048.975] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0048.975] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0048.976] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0048.976] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.976] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.976] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0048.976] GetLastError () returned 0x0 [0048.985] ReadFile (in: hFile=0x1ac, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x648, lpOverlapped=0x0) returned 1 [0049.693] WriteFile (in: hFile=0x1b0, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0x650, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x650, lpOverlapped=0x0) returned 1 [0049.694] ReadFile (in: hFile=0x1ac, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.694] WriteFile (in: hFile=0x1b0, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0049.694] SetEndOfFile (hFile=0x1b0) returned 1 [0049.694] CloseHandle (hObject=0x1b0) returned 1 [0049.695] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.695] SetEndOfFile (hFile=0x1ac) returned 1 [0049.696] CloseHandle (hObject=0x1ac) returned 1 [0049.696] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0049.696] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0049.696] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0049.696] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0049.696] lstrlenW (lpString=".doc") returned 4 [0049.696] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0049.696] lstrlenW (lpString=".docx") returned 5 [0049.696] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0049.697] lstrlenW (lpString=".pdf") returned 4 [0049.697] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0049.697] lstrlenW (lpString=".xls") returned 4 [0049.697] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0049.697] lstrlenW (lpString=".xlsx") returned 5 [0049.697] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0049.697] lstrlenW (lpString=".ppt") returned 4 [0049.697] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0049.697] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0049.697] lstrlenW (lpString=".zip") returned 4 [0049.697] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0049.697] lstrlenW (lpString=".rar") returned 4 [0049.697] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0049.697] lstrlenW (lpString=".bz2") returned 4 [0049.697] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0049.697] lstrlenW (lpString=".7z") returned 3 [0049.697] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0049.697] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0049.697] lstrlenW (lpString=".dbf") returned 4 [0049.697] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0049.697] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0049.697] lstrlenW (lpString=".1cd") returned 4 [0049.697] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0049.697] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0049.697] lstrlenW (lpString=".jpg") returned 4 [0049.697] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0049.697] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0049.697] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0049.697] lstrlenW (lpString=".doc") returned 4 [0049.697] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0049.697] lstrlenW (lpString=".docx") returned 5 [0049.697] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0049.697] lstrlenW (lpString=".pdf") returned 4 [0049.697] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0049.697] lstrlenW (lpString=".xls") returned 4 [0049.697] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0049.698] lstrlenW (lpString=".xlsx") returned 5 [0049.698] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0049.698] lstrlenW (lpString=".ppt") returned 4 [0049.698] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0049.698] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0049.698] lstrlenW (lpString=".zip") returned 4 [0049.698] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0049.698] lstrlenW (lpString=".rar") returned 4 [0049.698] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0049.698] lstrlenW (lpString=".bz2") returned 4 [0049.698] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0049.698] lstrlenW (lpString=".7z") returned 3 [0049.698] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0049.698] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0049.698] lstrlenW (lpString=".dbf") returned 4 [0049.698] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0049.698] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0049.698] lstrlenW (lpString=".1cd") returned 4 [0049.698] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0049.698] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0049.698] lstrlenW (lpString=".jpg") returned 4 [0049.698] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0049.698] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0049.698] lstrlenW (lpString="WordMUI.xml") returned 11 [0049.698] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0049.699] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=1800) returned 1 [0049.699] CloseHandle (hObject=0x1ac) returned 1 [0049.699] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml")) returned 0x2020 [0049.699] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0049.699] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0049.699] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.699] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.699] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0049.699] GetLastError () returned 0x0 [0049.699] ReadFile (in: hFile=0x1ac, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x708, lpOverlapped=0x0) returned 1 [0050.975] WriteFile (in: hFile=0x1b0, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0x710, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x710, lpOverlapped=0x0) returned 1 [0050.976] ReadFile (in: hFile=0x1ac, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.976] WriteFile (in: hFile=0x1b0, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xea, lpOverlapped=0x0) returned 1 [0050.976] SetEndOfFile (hFile=0x1b0) returned 1 [0050.977] CloseHandle (hObject=0x1b0) returned 1 [0050.977] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.978] SetEndOfFile (hFile=0x1ac) returned 1 [0050.979] CloseHandle (hObject=0x1ac) returned 1 [0050.979] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0050.979] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml")) returned 1 [0050.979] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0050.979] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0050.979] lstrlenW (lpString=".doc") returned 4 [0050.979] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0050.979] lstrlenW (lpString=".docx") returned 5 [0050.979] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0050.979] lstrlenW (lpString=".pdf") returned 4 [0050.980] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0050.980] lstrlenW (lpString=".xls") returned 4 [0050.980] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0050.980] lstrlenW (lpString=".xlsx") returned 5 [0050.980] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0050.980] lstrlenW (lpString=".ppt") returned 4 [0050.980] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0050.980] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0050.980] lstrlenW (lpString=".zip") returned 4 [0050.980] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0050.980] lstrlenW (lpString=".rar") returned 4 [0050.980] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0050.980] lstrlenW (lpString=".bz2") returned 4 [0050.980] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0050.980] lstrlenW (lpString=".7z") returned 3 [0050.980] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0050.980] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0050.980] lstrlenW (lpString=".dbf") returned 4 [0050.980] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0050.980] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0050.980] lstrlenW (lpString=".1cd") returned 4 [0050.980] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0050.980] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0050.980] lstrlenW (lpString=".jpg") returned 4 [0050.980] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0050.980] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0050.981] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0050.981] lstrlenW (lpString=".doc") returned 4 [0050.981] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0050.981] lstrlenW (lpString=".docx") returned 5 [0050.981] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0050.981] lstrlenW (lpString=".pdf") returned 4 [0050.981] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0050.981] lstrlenW (lpString=".xls") returned 4 [0050.981] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0050.981] lstrlenW (lpString=".xlsx") returned 5 [0050.981] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0050.981] lstrlenW (lpString=".ppt") returned 4 [0050.981] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0050.981] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0050.981] lstrlenW (lpString=".zip") returned 4 [0050.981] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0050.981] lstrlenW (lpString=".rar") returned 4 [0050.981] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0050.981] lstrlenW (lpString=".bz2") returned 4 [0050.981] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0050.981] lstrlenW (lpString=".7z") returned 3 [0050.981] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0050.981] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0050.981] lstrlenW (lpString=".dbf") returned 4 [0050.981] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0050.981] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0050.981] lstrlenW (lpString=".1cd") returned 4 [0050.981] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0050.981] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0050.982] lstrlenW (lpString=".jpg") returned 4 [0050.982] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0050.982] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0050.982] lstrlenW (lpString="Proofing.xml") returned 12 [0050.982] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0050.982] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=811) returned 1 [0050.982] CloseHandle (hObject=0x1ac) returned 1 [0050.982] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml")) returned 0x2020 [0050.982] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0050.983] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0050.983] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.983] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.983] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0050.983] GetLastError () returned 0x0 [0050.983] ReadFile (in: hFile=0x1ac, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x32b, lpOverlapped=0x0) returned 1 [0051.175] WriteFile (in: hFile=0x1b0, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x330, lpOverlapped=0x0) returned 1 [0051.177] ReadFile (in: hFile=0x1ac, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.177] WriteFile (in: hFile=0x1b0, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.177] SetEndOfFile (hFile=0x1b0) returned 1 [0051.177] CloseHandle (hObject=0x1b0) returned 1 [0051.183] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.183] SetEndOfFile (hFile=0x1ac) returned 1 [0051.184] CloseHandle (hObject=0x1ac) returned 1 [0051.184] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0051.185] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml")) returned 1 [0051.185] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0051.185] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0051.185] lstrlenW (lpString=".doc") returned 4 [0051.185] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0051.185] lstrlenW (lpString=".docx") returned 5 [0051.185] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0051.185] lstrlenW (lpString=".pdf") returned 4 [0051.185] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0051.185] lstrlenW (lpString=".xls") returned 4 [0051.185] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0051.185] lstrlenW (lpString=".xlsx") returned 5 [0051.185] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0051.185] lstrlenW (lpString=".ppt") returned 4 [0051.186] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0051.186] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0051.186] lstrlenW (lpString=".zip") returned 4 [0051.186] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0051.186] lstrlenW (lpString=".rar") returned 4 [0051.186] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0051.186] lstrlenW (lpString=".bz2") returned 4 [0051.186] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0051.186] lstrlenW (lpString=".7z") returned 3 [0051.186] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0051.186] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0051.186] lstrlenW (lpString=".dbf") returned 4 [0051.186] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0051.186] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0051.186] lstrlenW (lpString=".1cd") returned 4 [0051.186] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0051.186] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0051.186] lstrlenW (lpString=".jpg") returned 4 [0051.186] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0051.186] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0051.186] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0051.186] lstrlenW (lpString=".doc") returned 4 [0051.186] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0051.186] lstrlenW (lpString=".docx") returned 5 [0051.186] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0051.186] lstrlenW (lpString=".pdf") returned 4 [0051.186] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0051.186] lstrlenW (lpString=".xls") returned 4 [0051.187] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0051.187] lstrlenW (lpString=".xlsx") returned 5 [0051.187] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0051.187] lstrlenW (lpString=".ppt") returned 4 [0051.187] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0051.187] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0051.187] lstrlenW (lpString=".zip") returned 4 [0051.187] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0051.187] lstrlenW (lpString=".rar") returned 4 [0051.187] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0051.187] lstrlenW (lpString=".bz2") returned 4 [0051.187] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0051.187] lstrlenW (lpString=".7z") returned 3 [0051.187] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0051.187] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0051.187] lstrlenW (lpString=".dbf") returned 4 [0051.187] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0051.187] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0051.187] lstrlenW (lpString=".1cd") returned 4 [0051.187] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0051.187] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0051.187] lstrlenW (lpString=".jpg") returned 4 [0051.187] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0051.187] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0051.188] lstrlenW (lpString="InfoPathMUI.xml") returned 15 [0051.188] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0051.189] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=1231) returned 1 [0051.189] CloseHandle (hObject=0x1ac) returned 1 [0051.192] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml")) returned 0x2020 [0051.192] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0051.192] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0051.192] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.192] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.192] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0051.193] GetLastError () returned 0x0 [0051.193] ReadFile (in: hFile=0x1ac, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x4cf, lpOverlapped=0x0) returned 1 [0051.268] WriteFile (in: hFile=0x1b0, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0x4d0, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x4d0, lpOverlapped=0x0) returned 1 [0051.269] ReadFile (in: hFile=0x1ac, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.269] WriteFile (in: hFile=0x1b0, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xf2, lpOverlapped=0x0) returned 1 [0051.269] SetEndOfFile (hFile=0x1b0) returned 1 [0051.269] CloseHandle (hObject=0x1b0) returned 1 [0051.270] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.270] SetEndOfFile (hFile=0x1ac) returned 1 [0051.271] CloseHandle (hObject=0x1ac) returned 1 [0051.271] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0051.271] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml")) returned 1 [0051.272] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0051.272] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0051.272] lstrlenW (lpString=".doc") returned 4 [0051.272] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0051.272] lstrlenW (lpString=".docx") returned 5 [0051.272] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0051.272] lstrlenW (lpString=".pdf") returned 4 [0051.272] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0051.272] lstrlenW (lpString=".xls") returned 4 [0051.272] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0051.272] lstrlenW (lpString=".xlsx") returned 5 [0051.272] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0051.272] lstrlenW (lpString=".ppt") returned 4 [0051.272] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0051.272] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0051.272] lstrlenW (lpString=".zip") returned 4 [0051.272] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0051.272] lstrlenW (lpString=".rar") returned 4 [0051.272] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0051.272] lstrlenW (lpString=".bz2") returned 4 [0051.272] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0051.272] lstrlenW (lpString=".7z") returned 3 [0051.272] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0051.272] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0051.272] lstrlenW (lpString=".dbf") returned 4 [0051.272] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0051.272] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0051.272] lstrlenW (lpString=".1cd") returned 4 [0051.272] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0051.272] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0051.272] lstrlenW (lpString=".jpg") returned 4 [0051.272] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0051.272] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0051.273] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0051.273] lstrlenW (lpString=".doc") returned 4 [0051.273] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0051.273] lstrlenW (lpString=".docx") returned 5 [0051.273] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0051.273] lstrlenW (lpString=".pdf") returned 4 [0051.273] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0051.273] lstrlenW (lpString=".xls") returned 4 [0051.273] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0051.273] lstrlenW (lpString=".xlsx") returned 5 [0051.273] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0051.273] lstrlenW (lpString=".ppt") returned 4 [0051.273] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0051.273] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0051.273] lstrlenW (lpString=".zip") returned 4 [0051.273] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0051.273] lstrlenW (lpString=".rar") returned 4 [0051.273] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0051.273] lstrlenW (lpString=".bz2") returned 4 [0051.273] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0051.273] lstrlenW (lpString=".7z") returned 3 [0051.273] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0051.273] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0051.273] lstrlenW (lpString=".dbf") returned 4 [0051.273] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0051.273] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0051.273] lstrlenW (lpString=".1cd") returned 4 [0051.273] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0051.273] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0051.273] lstrlenW (lpString=".jpg") returned 4 [0051.273] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0051.273] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0051.274] lstrlenW (lpString="OneNoteMUI.xml") returned 14 [0051.274] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0051.274] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=1606) returned 1 [0051.275] CloseHandle (hObject=0x1ac) returned 1 [0051.275] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml")) returned 0x2020 [0051.275] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0051.275] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0051.275] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.275] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.275] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0051.275] GetLastError () returned 0x0 [0051.275] ReadFile (in: hFile=0x1ac, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x646, lpOverlapped=0x0) returned 1 [0051.292] WriteFile (in: hFile=0x1b0, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0x650, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x650, lpOverlapped=0x0) returned 1 [0051.318] ReadFile (in: hFile=0x1ac, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.319] WriteFile (in: hFile=0x1b0, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0051.319] SetEndOfFile (hFile=0x1b0) returned 1 [0051.319] CloseHandle (hObject=0x1b0) returned 1 [0051.319] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.320] SetEndOfFile (hFile=0x1ac) returned 1 [0051.320] CloseHandle (hObject=0x1ac) returned 1 [0051.321] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0051.321] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml")) returned 1 [0051.321] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0051.321] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0051.321] lstrlenW (lpString=".doc") returned 4 [0051.321] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0051.321] lstrlenW (lpString=".docx") returned 5 [0051.321] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0051.321] lstrlenW (lpString=".pdf") returned 4 [0051.321] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0051.321] lstrlenW (lpString=".xls") returned 4 [0051.321] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0051.321] lstrlenW (lpString=".xlsx") returned 5 [0051.321] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0051.321] lstrlenW (lpString=".ppt") returned 4 [0051.321] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0051.321] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0051.321] lstrlenW (lpString=".zip") returned 4 [0051.321] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0051.321] lstrlenW (lpString=".rar") returned 4 [0051.321] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0051.321] lstrlenW (lpString=".bz2") returned 4 [0051.322] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0051.322] lstrlenW (lpString=".7z") returned 3 [0051.322] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0051.322] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0051.322] lstrlenW (lpString=".dbf") returned 4 [0051.322] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0051.322] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0051.322] lstrlenW (lpString=".1cd") returned 4 [0051.322] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0051.322] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0051.322] lstrlenW (lpString=".jpg") returned 4 [0051.322] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0051.322] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0051.322] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0051.322] lstrlenW (lpString=".doc") returned 4 [0051.322] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0051.322] lstrlenW (lpString=".docx") returned 5 [0051.322] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0051.322] lstrlenW (lpString=".pdf") returned 4 [0051.322] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0051.322] lstrlenW (lpString=".xls") returned 4 [0051.322] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0051.322] lstrlenW (lpString=".xlsx") returned 5 [0051.322] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0051.322] lstrlenW (lpString=".ppt") returned 4 [0051.322] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0051.322] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0051.322] lstrlenW (lpString=".zip") returned 4 [0051.322] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0051.322] lstrlenW (lpString=".rar") returned 4 [0051.322] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0051.322] lstrlenW (lpString=".bz2") returned 4 [0051.322] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0051.322] lstrlenW (lpString=".7z") returned 3 [0051.322] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0051.323] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0051.323] lstrlenW (lpString=".dbf") returned 4 [0051.323] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0051.323] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0051.323] lstrlenW (lpString=".1cd") returned 4 [0051.323] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0051.323] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0051.323] lstrlenW (lpString=".jpg") returned 4 [0051.323] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0051.323] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0051.323] lstrlenW (lpString="GrooveMUI.xml") returned 13 [0051.323] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0051.625] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=913) returned 1 [0051.625] CloseHandle (hObject=0x1e8) returned 1 [0051.625] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml")) returned 0x2020 [0051.625] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0051.626] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0051.626] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.626] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.626] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0051.626] GetLastError () returned 0x0 [0051.626] ReadFile (in: hFile=0x1e8, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x391, lpOverlapped=0x0) returned 1 [0051.742] WriteFile (in: hFile=0x190, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0x3a0, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x3a0, lpOverlapped=0x0) returned 1 [0051.744] ReadFile (in: hFile=0x1e8, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.744] WriteFile (in: hFile=0x190, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xee, lpOverlapped=0x0) returned 1 [0051.744] SetEndOfFile (hFile=0x190) returned 1 [0051.744] CloseHandle (hObject=0x190) returned 1 [0051.746] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.746] SetEndOfFile (hFile=0x1e8) returned 1 [0051.747] CloseHandle (hObject=0x1e8) returned 1 [0051.747] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0051.747] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml")) returned 1 [0051.747] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0051.747] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0051.748] lstrlenW (lpString=".doc") returned 4 [0051.748] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0051.748] lstrlenW (lpString=".docx") returned 5 [0051.748] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0051.748] lstrlenW (lpString=".pdf") returned 4 [0051.748] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0051.748] lstrlenW (lpString=".xls") returned 4 [0051.748] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0051.748] lstrlenW (lpString=".xlsx") returned 5 [0051.748] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0051.748] lstrlenW (lpString=".ppt") returned 4 [0051.748] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0051.748] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0051.748] lstrlenW (lpString=".zip") returned 4 [0051.748] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0051.748] lstrlenW (lpString=".rar") returned 4 [0051.748] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0051.748] lstrlenW (lpString=".bz2") returned 4 [0051.748] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0051.748] lstrlenW (lpString=".7z") returned 3 [0051.748] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0051.748] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0051.748] lstrlenW (lpString=".dbf") returned 4 [0051.748] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0051.748] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0051.748] lstrlenW (lpString=".1cd") returned 4 [0051.748] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0051.748] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0051.748] lstrlenW (lpString=".jpg") returned 4 [0051.748] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0051.748] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0051.748] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0051.748] lstrlenW (lpString=".doc") returned 4 [0051.748] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0051.748] lstrlenW (lpString=".docx") returned 5 [0051.748] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0051.749] lstrlenW (lpString=".pdf") returned 4 [0051.749] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0051.749] lstrlenW (lpString=".xls") returned 4 [0051.749] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0051.749] lstrlenW (lpString=".xlsx") returned 5 [0051.749] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0051.749] lstrlenW (lpString=".ppt") returned 4 [0051.749] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0051.749] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0051.749] lstrlenW (lpString=".zip") returned 4 [0051.749] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0051.749] lstrlenW (lpString=".rar") returned 4 [0051.749] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0051.749] lstrlenW (lpString=".bz2") returned 4 [0051.749] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0051.749] lstrlenW (lpString=".7z") returned 3 [0051.749] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0051.749] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0051.749] lstrlenW (lpString=".dbf") returned 4 [0051.749] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0051.749] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0051.749] lstrlenW (lpString=".1cd") returned 4 [0051.749] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0051.749] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0051.749] lstrlenW (lpString=".jpg") returned 4 [0051.749] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0051.749] lstrcmpiW (lpString1=".chm", lpString2=".bmd") returned 1 [0051.749] lstrlenW (lpString="setup.chm") returned 9 [0051.749] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0051.750] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=67190) returned 1 [0051.750] CloseHandle (hObject=0x1e8) returned 1 [0051.750] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm")) returned 0x2020 [0051.750] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0051.750] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0051.750] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.750] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.750] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0051.750] GetLastError () returned 0x0 [0051.750] ReadFile (in: hFile=0x1e8, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x10676, lpOverlapped=0x0) returned 1 [0051.836] WriteFile (in: hFile=0x190, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0x10680, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x10680, lpOverlapped=0x0) returned 1 [0051.838] ReadFile (in: hFile=0x1e8, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.838] WriteFile (in: hFile=0x190, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0051.838] SetEndOfFile (hFile=0x190) returned 1 [0051.838] CloseHandle (hObject=0x190) returned 1 [0051.852] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.853] SetEndOfFile (hFile=0x1e8) returned 1 [0051.854] CloseHandle (hObject=0x1e8) returned 1 [0051.854] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0051.854] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm")) returned 1 [0051.854] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0051.854] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0051.854] lstrlenW (lpString=".doc") returned 4 [0051.854] lstrcmpiW (lpString1=".doc", lpString2=".chm") returned 1 [0051.854] lstrlenW (lpString=".docx") returned 5 [0051.855] lstrcmpiW (lpString1=".docx", lpString2="p.chm") returned -1 [0051.855] lstrlenW (lpString=".pdf") returned 4 [0051.855] lstrcmpiW (lpString1=".pdf", lpString2=".chm") returned 1 [0051.855] lstrlenW (lpString=".xls") returned 4 [0051.855] lstrcmpiW (lpString1=".xls", lpString2=".chm") returned 1 [0051.855] lstrlenW (lpString=".xlsx") returned 5 [0051.855] lstrcmpiW (lpString1=".xlsx", lpString2="p.chm") returned -1 [0051.855] lstrlenW (lpString=".ppt") returned 4 [0051.855] lstrcmpiW (lpString1=".ppt", lpString2=".chm") returned 1 [0051.855] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0051.855] lstrlenW (lpString=".zip") returned 4 [0051.855] lstrcmpiW (lpString1=".zip", lpString2=".chm") returned 1 [0051.855] lstrlenW (lpString=".rar") returned 4 [0051.855] lstrcmpiW (lpString1=".rar", lpString2=".chm") returned 1 [0051.855] lstrlenW (lpString=".bz2") returned 4 [0051.855] lstrcmpiW (lpString1=".bz2", lpString2=".chm") returned -1 [0051.855] lstrlenW (lpString=".7z") returned 3 [0051.855] lstrcmpiW (lpString1=".7z", lpString2="chm") returned -1 [0051.855] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0051.855] lstrlenW (lpString=".dbf") returned 4 [0051.855] lstrcmpiW (lpString1=".dbf", lpString2=".chm") returned 1 [0051.855] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0051.855] lstrlenW (lpString=".1cd") returned 4 [0051.855] lstrcmpiW (lpString1=".1cd", lpString2=".chm") returned -1 [0051.855] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0051.855] lstrlenW (lpString=".jpg") returned 4 [0051.855] lstrcmpiW (lpString1=".jpg", lpString2=".chm") returned 1 [0051.855] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0051.855] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0051.855] lstrlenW (lpString=".doc") returned 4 [0051.855] lstrcmpiW (lpString1=".doc", lpString2=".chm") returned 1 [0051.855] lstrlenW (lpString=".docx") returned 5 [0051.855] lstrcmpiW (lpString1=".docx", lpString2="p.chm") returned -1 [0051.856] lstrlenW (lpString=".pdf") returned 4 [0051.856] lstrcmpiW (lpString1=".pdf", lpString2=".chm") returned 1 [0051.856] lstrlenW (lpString=".xls") returned 4 [0051.856] lstrcmpiW (lpString1=".xls", lpString2=".chm") returned 1 [0051.856] lstrlenW (lpString=".xlsx") returned 5 [0051.856] lstrcmpiW (lpString1=".xlsx", lpString2="p.chm") returned -1 [0051.856] lstrlenW (lpString=".ppt") returned 4 [0051.856] lstrcmpiW (lpString1=".ppt", lpString2=".chm") returned 1 [0051.856] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0051.856] lstrlenW (lpString=".zip") returned 4 [0051.856] lstrcmpiW (lpString1=".zip", lpString2=".chm") returned 1 [0051.856] lstrlenW (lpString=".rar") returned 4 [0051.856] lstrcmpiW (lpString1=".rar", lpString2=".chm") returned 1 [0051.856] lstrlenW (lpString=".bz2") returned 4 [0051.856] lstrcmpiW (lpString1=".bz2", lpString2=".chm") returned -1 [0051.856] lstrlenW (lpString=".7z") returned 3 [0051.856] lstrcmpiW (lpString1=".7z", lpString2="chm") returned -1 [0051.856] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0051.856] lstrlenW (lpString=".dbf") returned 4 [0051.856] lstrcmpiW (lpString1=".dbf", lpString2=".chm") returned 1 [0051.856] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0051.856] lstrlenW (lpString=".1cd") returned 4 [0051.856] lstrcmpiW (lpString1=".1cd", lpString2=".chm") returned -1 [0051.856] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0051.856] lstrlenW (lpString=".jpg") returned 4 [0051.856] lstrcmpiW (lpString1=".jpg", lpString2=".chm") returned 1 [0051.856] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0051.856] lstrlenW (lpString="AccessMUI.xml") returned 13 [0051.856] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0051.899] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=1349) returned 1 [0051.899] CloseHandle (hObject=0x190) returned 1 [0051.899] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml")) returned 0x2020 [0051.899] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0051.900] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0051.900] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.900] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.900] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0051.901] GetLastError () returned 0x0 [0051.901] ReadFile (in: hFile=0x190, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x545, lpOverlapped=0x0) returned 1 [0051.903] WriteFile (in: hFile=0x1e8, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x550, lpOverlapped=0x0) returned 1 [0051.904] ReadFile (in: hFile=0x190, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.904] WriteFile (in: hFile=0x1e8, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xee, lpOverlapped=0x0) returned 1 [0051.904] SetEndOfFile (hFile=0x1e8) returned 1 [0051.904] CloseHandle (hObject=0x1e8) returned 1 [0051.907] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.907] SetEndOfFile (hFile=0x190) returned 1 [0051.908] CloseHandle (hObject=0x190) returned 1 [0051.908] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0051.908] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml")) returned 1 [0051.908] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0051.908] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0051.908] lstrlenW (lpString=".doc") returned 4 [0051.908] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0051.908] lstrlenW (lpString=".docx") returned 5 [0051.908] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0051.908] lstrlenW (lpString=".pdf") returned 4 [0051.908] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0051.908] lstrlenW (lpString=".xls") returned 4 [0051.909] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0051.909] lstrlenW (lpString=".xlsx") returned 5 [0051.909] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0051.909] lstrlenW (lpString=".ppt") returned 4 [0051.909] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0051.909] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0051.909] lstrlenW (lpString=".zip") returned 4 [0051.909] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0051.909] lstrlenW (lpString=".rar") returned 4 [0051.909] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0051.909] lstrlenW (lpString=".bz2") returned 4 [0051.909] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0051.909] lstrlenW (lpString=".7z") returned 3 [0051.909] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0051.909] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0051.909] lstrlenW (lpString=".dbf") returned 4 [0051.909] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0051.909] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0051.909] lstrlenW (lpString=".1cd") returned 4 [0051.909] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0051.909] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0051.909] lstrlenW (lpString=".jpg") returned 4 [0051.909] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0051.909] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0051.909] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0051.909] lstrlenW (lpString=".doc") returned 4 [0051.909] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0051.909] lstrlenW (lpString=".docx") returned 5 [0051.909] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0051.909] lstrlenW (lpString=".pdf") returned 4 [0051.909] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0051.909] lstrlenW (lpString=".xls") returned 4 [0051.909] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0051.909] lstrlenW (lpString=".xlsx") returned 5 [0051.909] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0051.909] lstrlenW (lpString=".ppt") returned 4 [0051.909] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0051.910] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0051.910] lstrlenW (lpString=".zip") returned 4 [0051.910] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0051.910] lstrlenW (lpString=".rar") returned 4 [0051.910] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0051.910] lstrlenW (lpString=".bz2") returned 4 [0051.910] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0051.910] lstrlenW (lpString=".7z") returned 3 [0051.910] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0051.910] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0051.910] lstrlenW (lpString=".dbf") returned 4 [0051.910] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0051.910] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0051.910] lstrlenW (lpString=".1cd") returned 4 [0051.910] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0051.910] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0051.910] lstrlenW (lpString=".jpg") returned 4 [0051.910] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0051.910] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0051.910] lstrlenW (lpString="AccessMUISet.xml") returned 16 [0051.910] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0052.291] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=819) returned 1 [0052.291] CloseHandle (hObject=0x190) returned 1 [0052.291] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml")) returned 0x2020 [0052.291] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0052.292] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0052.292] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.292] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.292] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0052.292] GetLastError () returned 0x0 [0052.292] ReadFile (in: hFile=0x190, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x333, lpOverlapped=0x0) returned 1 [0052.294] WriteFile (in: hFile=0x1f8, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x340, lpOverlapped=0x0) returned 1 [0052.298] ReadFile (in: hFile=0x190, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.298] WriteFile (in: hFile=0x1f8, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0052.298] SetEndOfFile (hFile=0x1f8) returned 1 [0052.298] CloseHandle (hObject=0x1f8) returned 1 [0052.299] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.299] SetEndOfFile (hFile=0x190) returned 1 [0052.300] CloseHandle (hObject=0x190) returned 1 [0052.300] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0052.300] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml")) returned 1 [0052.300] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0052.300] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0052.300] lstrlenW (lpString=".doc") returned 4 [0052.300] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0052.300] lstrlenW (lpString=".docx") returned 5 [0052.300] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0052.300] lstrlenW (lpString=".pdf") returned 4 [0052.300] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0052.300] lstrlenW (lpString=".xls") returned 4 [0052.301] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0052.301] lstrlenW (lpString=".xlsx") returned 5 [0052.301] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0052.301] lstrlenW (lpString=".ppt") returned 4 [0052.301] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0052.301] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0052.301] lstrlenW (lpString=".zip") returned 4 [0052.301] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0052.301] lstrlenW (lpString=".rar") returned 4 [0052.301] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0052.301] lstrlenW (lpString=".bz2") returned 4 [0052.301] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0052.301] lstrlenW (lpString=".7z") returned 3 [0052.301] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0052.301] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0052.301] lstrlenW (lpString=".dbf") returned 4 [0052.301] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0052.301] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0052.301] lstrlenW (lpString=".1cd") returned 4 [0052.301] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0052.301] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0052.301] lstrlenW (lpString=".jpg") returned 4 [0052.301] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0052.301] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0052.301] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0052.301] lstrlenW (lpString=".doc") returned 4 [0052.302] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0052.302] lstrlenW (lpString=".docx") returned 5 [0052.302] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0052.302] lstrlenW (lpString=".pdf") returned 4 [0052.302] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0052.302] lstrlenW (lpString=".xls") returned 4 [0052.302] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0052.302] lstrlenW (lpString=".xlsx") returned 5 [0052.302] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0052.302] lstrlenW (lpString=".ppt") returned 4 [0052.302] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0052.302] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0052.302] lstrlenW (lpString=".zip") returned 4 [0052.302] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0052.302] lstrlenW (lpString=".rar") returned 4 [0052.302] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0052.302] lstrlenW (lpString=".bz2") returned 4 [0052.302] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0052.302] lstrlenW (lpString=".7z") returned 3 [0052.302] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0052.302] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0052.302] lstrlenW (lpString=".dbf") returned 4 [0052.302] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0052.302] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0052.302] lstrlenW (lpString=".1cd") returned 4 [0052.302] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0052.302] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0052.302] lstrlenW (lpString=".jpg") returned 4 [0052.302] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0052.302] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0052.303] lstrlenW (lpString="Office32WW.xml") returned 14 [0052.303] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0052.304] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=4274) returned 1 [0052.304] CloseHandle (hObject=0x190) returned 1 [0052.304] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 0x2020 [0052.304] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0052.304] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0052.304] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.304] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.304] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0052.304] GetLastError () returned 0x0 [0052.304] ReadFile (in: hFile=0x190, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x10b2, lpOverlapped=0x0) returned 1 [0052.306] WriteFile (in: hFile=0x1f8, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0x10c0, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x10c0, lpOverlapped=0x0) returned 1 [0052.307] ReadFile (in: hFile=0x190, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.307] WriteFile (in: hFile=0x1f8, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0052.307] SetEndOfFile (hFile=0x1f8) returned 1 [0052.308] CloseHandle (hObject=0x1f8) returned 1 [0052.310] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.310] SetEndOfFile (hFile=0x190) returned 1 [0052.311] CloseHandle (hObject=0x190) returned 1 [0052.311] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0052.311] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 1 [0052.312] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0052.312] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0052.312] lstrlenW (lpString=".doc") returned 4 [0052.312] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0052.312] lstrlenW (lpString=".docx") returned 5 [0052.312] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0052.312] lstrlenW (lpString=".pdf") returned 4 [0052.312] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0052.312] lstrlenW (lpString=".xls") returned 4 [0052.312] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0052.312] lstrlenW (lpString=".xlsx") returned 5 [0052.312] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0052.312] lstrlenW (lpString=".ppt") returned 4 [0052.312] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0052.312] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0052.312] lstrlenW (lpString=".zip") returned 4 [0052.312] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0052.312] lstrlenW (lpString=".rar") returned 4 [0052.312] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0052.312] lstrlenW (lpString=".bz2") returned 4 [0052.312] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0052.312] lstrlenW (lpString=".7z") returned 3 [0052.312] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0052.312] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0052.312] lstrlenW (lpString=".dbf") returned 4 [0052.312] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0052.312] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0052.312] lstrlenW (lpString=".1cd") returned 4 [0052.312] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0052.312] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0052.312] lstrlenW (lpString=".jpg") returned 4 [0052.313] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0052.313] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0052.313] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0052.313] lstrlenW (lpString=".doc") returned 4 [0052.313] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0052.313] lstrlenW (lpString=".docx") returned 5 [0052.313] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0052.313] lstrlenW (lpString=".pdf") returned 4 [0052.313] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0052.313] lstrlenW (lpString=".xls") returned 4 [0052.313] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0052.313] lstrlenW (lpString=".xlsx") returned 5 [0052.313] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0052.313] lstrlenW (lpString=".ppt") returned 4 [0052.313] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0052.313] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0052.313] lstrlenW (lpString=".zip") returned 4 [0052.313] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0052.313] lstrlenW (lpString=".rar") returned 4 [0052.313] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0052.313] lstrlenW (lpString=".bz2") returned 4 [0052.313] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0052.313] lstrlenW (lpString=".7z") returned 3 [0052.313] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0052.313] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0052.313] lstrlenW (lpString=".dbf") returned 4 [0052.313] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0052.313] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0052.313] lstrlenW (lpString=".1cd") returned 4 [0052.313] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0052.313] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0052.313] lstrlenW (lpString=".jpg") returned 4 [0052.313] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0052.314] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0052.314] lstrlenW (lpString="PrjProrWW.xml") returned 13 [0052.314] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0052.315] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=6421) returned 1 [0052.315] CloseHandle (hObject=0x190) returned 1 [0052.315] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml")) returned 0x2020 [0052.315] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0052.315] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0052.315] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.315] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.315] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0052.315] GetLastError () returned 0x0 [0052.315] ReadFile (in: hFile=0x190, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x1915, lpOverlapped=0x0) returned 1 [0052.335] WriteFile (in: hFile=0x1f8, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0x1920, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x1920, lpOverlapped=0x0) returned 1 [0052.336] ReadFile (in: hFile=0x190, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.336] WriteFile (in: hFile=0x1f8, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xee, lpOverlapped=0x0) returned 1 [0052.336] SetEndOfFile (hFile=0x1f8) returned 1 [0052.336] CloseHandle (hObject=0x1f8) returned 1 [0052.338] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.338] SetEndOfFile (hFile=0x190) returned 1 [0052.339] CloseHandle (hObject=0x190) returned 1 [0052.339] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0052.339] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml")) returned 1 [0052.340] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0052.340] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0052.340] lstrlenW (lpString=".doc") returned 4 [0052.340] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0052.340] lstrlenW (lpString=".docx") returned 5 [0052.340] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0052.340] lstrlenW (lpString=".pdf") returned 4 [0052.340] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0052.340] lstrlenW (lpString=".xls") returned 4 [0052.340] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0052.340] lstrlenW (lpString=".xlsx") returned 5 [0052.340] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0052.340] lstrlenW (lpString=".ppt") returned 4 [0052.340] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0052.340] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0052.340] lstrlenW (lpString=".zip") returned 4 [0052.340] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0052.340] lstrlenW (lpString=".rar") returned 4 [0052.340] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0052.340] lstrlenW (lpString=".bz2") returned 4 [0052.340] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0052.340] lstrlenW (lpString=".7z") returned 3 [0052.340] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0052.340] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0052.340] lstrlenW (lpString=".dbf") returned 4 [0052.340] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0052.340] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0052.340] lstrlenW (lpString=".1cd") returned 4 [0052.340] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0052.340] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0052.340] lstrlenW (lpString=".jpg") returned 4 [0052.340] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0052.341] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0052.341] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0052.341] lstrlenW (lpString=".doc") returned 4 [0052.341] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0052.341] lstrlenW (lpString=".docx") returned 5 [0052.341] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0052.341] lstrlenW (lpString=".pdf") returned 4 [0052.341] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0052.341] lstrlenW (lpString=".xls") returned 4 [0052.341] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0052.341] lstrlenW (lpString=".xlsx") returned 5 [0052.341] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0052.341] lstrlenW (lpString=".ppt") returned 4 [0052.341] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0052.341] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0052.341] lstrlenW (lpString=".zip") returned 4 [0052.341] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0052.341] lstrlenW (lpString=".rar") returned 4 [0052.341] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0052.341] lstrlenW (lpString=".bz2") returned 4 [0052.341] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0052.341] lstrlenW (lpString=".7z") returned 3 [0052.341] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0052.341] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0052.341] lstrlenW (lpString=".dbf") returned 4 [0052.341] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0052.341] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0052.341] lstrlenW (lpString=".1cd") returned 4 [0052.341] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0052.341] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0052.341] lstrlenW (lpString=".jpg") returned 4 [0052.341] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0052.342] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0052.342] lstrlenW (lpString="Setup.xml") returned 9 [0052.342] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0052.342] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=16683) returned 1 [0052.342] CloseHandle (hObject=0x190) returned 1 [0052.342] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0052.342] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0052.342] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0052.342] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.343] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.343] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0052.343] GetLastError () returned 0x0 [0052.343] ReadFile (in: hFile=0x190, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x412b, lpOverlapped=0x0) returned 1 [0052.725] WriteFile (in: hFile=0x1f8, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0x4130, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x4130, lpOverlapped=0x0) returned 1 [0052.726] ReadFile (in: hFile=0x190, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.726] WriteFile (in: hFile=0x1f8, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0052.727] SetEndOfFile (hFile=0x1f8) returned 1 [0052.727] CloseHandle (hObject=0x1f8) returned 1 [0052.733] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.733] SetEndOfFile (hFile=0x190) returned 1 [0052.734] CloseHandle (hObject=0x190) returned 1 [0052.734] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0052.734] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0052.735] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.735] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.735] lstrlenW (lpString=".doc") returned 4 [0052.735] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0052.735] lstrlenW (lpString=".docx") returned 5 [0052.735] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0052.735] lstrlenW (lpString=".pdf") returned 4 [0052.735] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0052.735] lstrlenW (lpString=".xls") returned 4 [0052.735] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0052.735] lstrlenW (lpString=".xlsx") returned 5 [0052.735] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0052.735] lstrlenW (lpString=".ppt") returned 4 [0052.735] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0052.735] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.735] lstrlenW (lpString=".zip") returned 4 [0052.735] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0052.735] lstrlenW (lpString=".rar") returned 4 [0052.735] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0052.735] lstrlenW (lpString=".bz2") returned 4 [0052.735] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0052.735] lstrlenW (lpString=".7z") returned 3 [0052.736] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0052.736] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.736] lstrlenW (lpString=".dbf") returned 4 [0052.736] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0052.736] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.736] lstrlenW (lpString=".1cd") returned 4 [0052.736] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0052.736] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.736] lstrlenW (lpString=".jpg") returned 4 [0052.736] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0052.736] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.736] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.736] lstrlenW (lpString=".doc") returned 4 [0052.736] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0052.736] lstrlenW (lpString=".docx") returned 5 [0052.736] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0052.736] lstrlenW (lpString=".pdf") returned 4 [0052.736] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0052.736] lstrlenW (lpString=".xls") returned 4 [0052.736] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0052.736] lstrlenW (lpString=".xlsx") returned 5 [0052.736] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0052.736] lstrlenW (lpString=".ppt") returned 4 [0052.736] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0052.736] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.736] lstrlenW (lpString=".zip") returned 4 [0052.737] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0052.737] lstrlenW (lpString=".rar") returned 4 [0052.737] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0052.737] lstrlenW (lpString=".bz2") returned 4 [0052.737] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0052.737] lstrlenW (lpString=".7z") returned 3 [0052.737] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0052.737] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.737] lstrlenW (lpString=".dbf") returned 4 [0052.737] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0052.737] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.737] lstrlenW (lpString=".1cd") returned 4 [0052.737] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0052.737] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.737] lstrlenW (lpString=".jpg") returned 4 [0052.737] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0052.737] lstrcmpiW (lpString1=".JPG", lpString2=".bmd") returned 1 [0052.737] lstrlenW (lpString="MS.JPG") returned 6 [0052.737] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0053.935] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=1061) returned 1 [0053.935] CloseHandle (hObject=0x1f4) returned 1 [0053.935] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg")) returned 0x20 [0053.935] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0053.935] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0053.936] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.936] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.936] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0056.098] GetLastError () returned 0x0 [0056.098] ReadFile (in: hFile=0x1f4, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x425, lpOverlapped=0x0) returned 1 [0057.762] WriteFile (in: hFile=0x208, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x430, lpOverlapped=0x0) returned 1 [0058.040] ReadFile (in: hFile=0x1f4, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0058.040] WriteFile (in: hFile=0x208, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xe0, lpOverlapped=0x0) returned 1 [0058.040] SetEndOfFile (hFile=0x208) returned 1 [0058.040] CloseHandle (hObject=0x208) returned 1 [0058.041] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.041] SetEndOfFile (hFile=0x1f4) returned 1 [0058.042] CloseHandle (hObject=0x1f4) returned 1 [0058.042] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0058.043] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg")) returned 1 [0058.043] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0058.043] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0058.043] lstrlenW (lpString=".doc") returned 4 [0058.043] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0058.043] lstrlenW (lpString=".docx") returned 5 [0058.043] lstrcmpiW (lpString1=".docx", lpString2="S.JPG") returned -1 [0058.044] lstrlenW (lpString=".pdf") returned 4 [0058.044] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0058.044] lstrlenW (lpString=".xls") returned 4 [0058.044] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0058.044] lstrlenW (lpString=".xlsx") returned 5 [0058.044] lstrcmpiW (lpString1=".xlsx", lpString2="S.JPG") returned -1 [0058.044] lstrlenW (lpString=".ppt") returned 4 [0058.044] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0058.044] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0058.044] lstrlenW (lpString=".zip") returned 4 [0058.044] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0058.044] lstrlenW (lpString=".rar") returned 4 [0058.044] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0058.044] lstrlenW (lpString=".bz2") returned 4 [0058.044] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0058.044] lstrlenW (lpString=".7z") returned 3 [0058.044] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0058.044] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0058.044] lstrlenW (lpString=".dbf") returned 4 [0058.044] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0058.044] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0058.044] lstrlenW (lpString=".1cd") returned 4 [0058.044] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0058.044] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0058.044] lstrlenW (lpString=".jpg") returned 4 [0058.044] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0058.044] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0058.045] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0058.045] lstrlenW (lpString=".doc") returned 4 [0058.045] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0058.045] lstrlenW (lpString=".docx") returned 5 [0058.045] lstrcmpiW (lpString1=".docx", lpString2="S.JPG") returned -1 [0058.045] lstrlenW (lpString=".pdf") returned 4 [0058.045] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0058.045] lstrlenW (lpString=".xls") returned 4 [0058.045] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0058.045] lstrlenW (lpString=".xlsx") returned 5 [0058.045] lstrcmpiW (lpString1=".xlsx", lpString2="S.JPG") returned -1 [0058.045] lstrlenW (lpString=".ppt") returned 4 [0058.045] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0058.045] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0058.045] lstrlenW (lpString=".zip") returned 4 [0058.045] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0058.045] lstrlenW (lpString=".rar") returned 4 [0058.045] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0058.045] lstrlenW (lpString=".bz2") returned 4 [0058.045] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0058.045] lstrlenW (lpString=".7z") returned 3 [0058.045] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0058.045] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0058.045] lstrlenW (lpString=".dbf") returned 4 [0058.045] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0058.045] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0058.045] lstrlenW (lpString=".1cd") returned 4 [0058.045] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0058.046] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0058.046] lstrlenW (lpString=".jpg") returned 4 [0058.046] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0058.046] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0058.046] lstrlenW (lpString="ea.xml") returned 6 [0058.046] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0058.927] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=384) returned 1 [0058.927] CloseHandle (hObject=0x1d0) returned 1 [0058.927] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml")) returned 0x20 [0058.928] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0058.928] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0058.928] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0058.928] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0058.928] lstrlenW (lpString=".doc") returned 4 [0058.928] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.928] lstrlenW (lpString=".docx") returned 5 [0058.928] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0058.928] lstrlenW (lpString=".pdf") returned 4 [0058.928] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.928] lstrlenW (lpString=".xls") returned 4 [0058.928] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.928] lstrlenW (lpString=".xlsx") returned 5 [0058.928] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0058.928] lstrlenW (lpString=".ppt") returned 4 [0058.928] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.928] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0058.928] lstrlenW (lpString=".zip") returned 4 [0058.928] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.928] lstrlenW (lpString=".rar") returned 4 [0058.928] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.928] lstrlenW (lpString=".bz2") returned 4 [0058.929] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.929] lstrlenW (lpString=".7z") returned 3 [0058.929] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.929] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0058.929] lstrlenW (lpString=".dbf") returned 4 [0058.929] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.929] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0058.929] lstrlenW (lpString=".1cd") returned 4 [0058.929] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.929] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0058.929] lstrlenW (lpString=".jpg") returned 4 [0058.929] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.929] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0058.929] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0058.929] lstrlenW (lpString=".doc") returned 4 [0058.929] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.929] lstrlenW (lpString=".docx") returned 5 [0058.929] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0058.929] lstrlenW (lpString=".pdf") returned 4 [0058.929] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.929] lstrlenW (lpString=".xls") returned 4 [0058.929] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.929] lstrlenW (lpString=".xlsx") returned 5 [0058.929] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0058.929] lstrlenW (lpString=".ppt") returned 4 [0058.929] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.929] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0058.929] lstrlenW (lpString=".zip") returned 4 [0058.930] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.930] lstrlenW (lpString=".rar") returned 4 [0058.930] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.930] lstrlenW (lpString=".bz2") returned 4 [0058.930] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.930] lstrlenW (lpString=".7z") returned 3 [0058.930] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.930] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0058.930] lstrlenW (lpString=".dbf") returned 4 [0058.930] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.930] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0058.930] lstrlenW (lpString=".1cd") returned 4 [0058.930] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.930] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0058.930] lstrlenW (lpString=".jpg") returned 4 [0058.930] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.930] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0058.930] lstrlenW (lpString="AccessMUI.XML") returned 13 [0058.930] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0059.588] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=1349) returned 1 [0059.588] CloseHandle (hObject=0x20c) returned 1 [0059.588] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml")) returned 0x20 [0059.588] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0059.588] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0059.588] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.588] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.589] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0059.589] GetLastError () returned 0x0 [0059.589] ReadFile (in: hFile=0x20c, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x545, lpOverlapped=0x0) returned 1 [0059.591] WriteFile (in: hFile=0x1d0, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x550, lpOverlapped=0x0) returned 1 [0059.592] ReadFile (in: hFile=0x20c, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0059.592] WriteFile (in: hFile=0x1d0, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xee, lpOverlapped=0x0) returned 1 [0059.593] SetEndOfFile (hFile=0x1d0) returned 1 [0059.593] CloseHandle (hObject=0x1d0) returned 1 [0059.594] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.594] SetEndOfFile (hFile=0x20c) returned 1 [0059.595] CloseHandle (hObject=0x20c) returned 1 [0059.595] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0059.595] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml")) returned 1 [0059.596] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0059.596] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0059.596] lstrlenW (lpString=".doc") returned 4 [0059.596] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0059.596] lstrlenW (lpString=".docx") returned 5 [0059.596] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0059.596] lstrlenW (lpString=".pdf") returned 4 [0059.596] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0059.596] lstrlenW (lpString=".xls") returned 4 [0059.596] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0059.596] lstrlenW (lpString=".xlsx") returned 5 [0059.596] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0059.596] lstrlenW (lpString=".ppt") returned 4 [0059.596] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0059.596] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0059.596] lstrlenW (lpString=".zip") returned 4 [0059.596] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0059.596] lstrlenW (lpString=".rar") returned 4 [0059.596] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0059.596] lstrlenW (lpString=".bz2") returned 4 [0059.596] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0059.596] lstrlenW (lpString=".7z") returned 3 [0059.596] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0059.596] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0059.596] lstrlenW (lpString=".dbf") returned 4 [0059.596] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0059.596] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0059.596] lstrlenW (lpString=".1cd") returned 4 [0059.596] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0059.597] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0059.597] lstrlenW (lpString=".jpg") returned 4 [0059.597] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0059.597] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0059.597] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0059.597] lstrlenW (lpString=".doc") returned 4 [0059.597] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0059.597] lstrlenW (lpString=".docx") returned 5 [0059.597] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0059.597] lstrlenW (lpString=".pdf") returned 4 [0059.597] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0059.597] lstrlenW (lpString=".xls") returned 4 [0059.597] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0059.597] lstrlenW (lpString=".xlsx") returned 5 [0059.597] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0059.597] lstrlenW (lpString=".ppt") returned 4 [0059.597] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0059.597] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0059.597] lstrlenW (lpString=".zip") returned 4 [0059.597] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0059.597] lstrlenW (lpString=".rar") returned 4 [0059.597] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0059.597] lstrlenW (lpString=".bz2") returned 4 [0059.597] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0059.597] lstrlenW (lpString=".7z") returned 3 [0059.597] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0059.597] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0059.597] lstrlenW (lpString=".dbf") returned 4 [0059.597] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0059.597] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0059.597] lstrlenW (lpString=".1cd") returned 4 [0059.597] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0059.598] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0059.598] lstrlenW (lpString=".jpg") returned 4 [0059.598] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0059.598] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0059.598] lstrlenW (lpString="InfoPathMUI.XML") returned 15 [0059.598] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0059.598] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=1231) returned 1 [0059.598] CloseHandle (hObject=0x20c) returned 1 [0059.598] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml")) returned 0x20 [0059.598] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0059.598] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0059.599] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.599] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.599] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0059.602] GetLastError () returned 0x0 [0059.602] ReadFile (in: hFile=0x20c, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x4cf, lpOverlapped=0x0) returned 1 [0059.604] WriteFile (in: hFile=0x19c, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0x4d0, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x4d0, lpOverlapped=0x0) returned 1 [0059.605] ReadFile (in: hFile=0x20c, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0059.605] WriteFile (in: hFile=0x19c, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xf2, lpOverlapped=0x0) returned 1 [0059.605] SetEndOfFile (hFile=0x19c) returned 1 [0059.605] CloseHandle (hObject=0x19c) returned 1 [0059.608] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.608] SetEndOfFile (hFile=0x20c) returned 1 [0059.609] CloseHandle (hObject=0x20c) returned 1 [0059.609] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0059.610] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml")) returned 1 [0059.610] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0059.610] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0059.610] lstrlenW (lpString=".doc") returned 4 [0059.610] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0059.610] lstrlenW (lpString=".docx") returned 5 [0059.610] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0059.610] lstrlenW (lpString=".pdf") returned 4 [0059.610] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0059.610] lstrlenW (lpString=".xls") returned 4 [0059.610] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0059.610] lstrlenW (lpString=".xlsx") returned 5 [0059.610] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0059.610] lstrlenW (lpString=".ppt") returned 4 [0059.610] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0059.610] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0059.610] lstrlenW (lpString=".zip") returned 4 [0059.610] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0059.610] lstrlenW (lpString=".rar") returned 4 [0059.610] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0059.610] lstrlenW (lpString=".bz2") returned 4 [0059.610] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0059.611] lstrlenW (lpString=".7z") returned 3 [0059.611] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0059.611] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0059.611] lstrlenW (lpString=".dbf") returned 4 [0059.611] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0059.611] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0059.611] lstrlenW (lpString=".1cd") returned 4 [0059.611] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0059.611] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0059.611] lstrlenW (lpString=".jpg") returned 4 [0059.611] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0059.611] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0059.611] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0059.611] lstrlenW (lpString=".doc") returned 4 [0059.611] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0059.611] lstrlenW (lpString=".docx") returned 5 [0059.611] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0059.611] lstrlenW (lpString=".pdf") returned 4 [0059.611] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0059.611] lstrlenW (lpString=".xls") returned 4 [0059.611] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0059.611] lstrlenW (lpString=".xlsx") returned 5 [0059.611] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0059.611] lstrlenW (lpString=".ppt") returned 4 [0059.611] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0059.611] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0059.611] lstrlenW (lpString=".zip") returned 4 [0059.611] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0059.611] lstrlenW (lpString=".rar") returned 4 [0059.611] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0059.611] lstrlenW (lpString=".bz2") returned 4 [0059.612] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0059.612] lstrlenW (lpString=".7z") returned 3 [0059.612] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0059.612] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0059.612] lstrlenW (lpString=".dbf") returned 4 [0059.612] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0059.612] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0059.612] lstrlenW (lpString=".1cd") returned 4 [0059.612] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0059.612] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0059.612] lstrlenW (lpString=".jpg") returned 4 [0059.612] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0059.612] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0059.612] lstrlenW (lpString="SETUP.XML") returned 9 [0059.612] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0059.612] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=1852) returned 1 [0059.613] CloseHandle (hObject=0x20c) returned 1 [0059.613] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml")) returned 0x20 [0059.613] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0059.613] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0059.613] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.613] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.613] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0059.613] GetLastError () returned 0x0 [0059.613] ReadFile (in: hFile=0x20c, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x73c, lpOverlapped=0x0) returned 1 [0059.615] WriteFile (in: hFile=0x19c, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0x740, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x740, lpOverlapped=0x0) returned 1 [0059.616] ReadFile (in: hFile=0x20c, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0059.616] WriteFile (in: hFile=0x19c, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0059.616] SetEndOfFile (hFile=0x19c) returned 1 [0059.616] CloseHandle (hObject=0x19c) returned 1 [0059.617] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.617] SetEndOfFile (hFile=0x20c) returned 1 [0059.618] CloseHandle (hObject=0x20c) returned 1 [0059.618] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0059.619] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml")) returned 1 [0059.619] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0059.619] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0059.619] lstrlenW (lpString=".doc") returned 4 [0059.619] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0059.619] lstrlenW (lpString=".docx") returned 5 [0059.619] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0059.619] lstrlenW (lpString=".pdf") returned 4 [0059.619] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0059.619] lstrlenW (lpString=".xls") returned 4 [0059.619] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0059.619] lstrlenW (lpString=".xlsx") returned 5 [0059.619] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0059.619] lstrlenW (lpString=".ppt") returned 4 [0059.619] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0059.619] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0059.619] lstrlenW (lpString=".zip") returned 4 [0059.619] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0059.619] lstrlenW (lpString=".rar") returned 4 [0059.619] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0059.620] lstrlenW (lpString=".bz2") returned 4 [0059.620] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0059.620] lstrlenW (lpString=".7z") returned 3 [0059.620] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0059.620] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0059.620] lstrlenW (lpString=".dbf") returned 4 [0059.620] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0059.620] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0059.620] lstrlenW (lpString=".1cd") returned 4 [0059.620] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0059.620] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0059.620] lstrlenW (lpString=".jpg") returned 4 [0059.620] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0059.620] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0059.620] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0059.620] lstrlenW (lpString=".doc") returned 4 [0059.620] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0059.620] lstrlenW (lpString=".docx") returned 5 [0059.620] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0059.620] lstrlenW (lpString=".pdf") returned 4 [0059.620] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0059.620] lstrlenW (lpString=".xls") returned 4 [0059.620] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0059.620] lstrlenW (lpString=".xlsx") returned 5 [0059.621] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0059.621] lstrlenW (lpString=".ppt") returned 4 [0059.621] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0059.621] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0059.621] lstrlenW (lpString=".zip") returned 4 [0059.621] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0059.621] lstrlenW (lpString=".rar") returned 4 [0059.621] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0059.621] lstrlenW (lpString=".bz2") returned 4 [0059.621] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0059.621] lstrlenW (lpString=".7z") returned 3 [0059.621] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0059.621] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0059.621] lstrlenW (lpString=".dbf") returned 4 [0059.621] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0059.621] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0059.621] lstrlenW (lpString=".1cd") returned 4 [0059.621] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0059.621] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0059.621] lstrlenW (lpString=".jpg") returned 4 [0059.621] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0059.621] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0059.621] lstrlenW (lpString="BRANDING.XML") returned 12 [0059.621] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0061.364] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=596341) returned 1 [0061.380] CloseHandle (hObject=0x198) returned 1 [0061.380] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml")) returned 0x20 [0061.380] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0061.380] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0061.381] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0061.381] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0061.381] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0061.381] GetLastError () returned 0x0 [0061.381] ReadFile (in: hFile=0x198, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x91975, lpOverlapped=0x0) returned 1 [0061.401] WriteFile (in: hFile=0x1ac, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0x91980, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x91980, lpOverlapped=0x0) returned 1 [0061.414] ReadFile (in: hFile=0x198, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0061.414] WriteFile (in: hFile=0x1ac, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0061.415] SetEndOfFile (hFile=0x1ac) returned 1 [0061.415] CloseHandle (hObject=0x1ac) returned 1 [0061.424] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0061.424] SetEndOfFile (hFile=0x198) returned 1 [0062.111] CloseHandle (hObject=0x198) returned 1 [0062.111] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0062.112] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml")) returned 1 [0062.112] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0062.112] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0062.112] lstrlenW (lpString=".doc") returned 4 [0062.112] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0062.112] lstrlenW (lpString=".docx") returned 5 [0062.112] lstrcmpiW (lpString1=".docx", lpString2="G.XML") returned -1 [0062.112] lstrlenW (lpString=".pdf") returned 4 [0062.112] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0062.112] lstrlenW (lpString=".xls") returned 4 [0062.112] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0062.112] lstrlenW (lpString=".xlsx") returned 5 [0062.113] lstrcmpiW (lpString1=".xlsx", lpString2="G.XML") returned -1 [0062.113] lstrlenW (lpString=".ppt") returned 4 [0062.113] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0062.113] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0062.113] lstrlenW (lpString=".zip") returned 4 [0062.113] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0062.113] lstrlenW (lpString=".rar") returned 4 [0062.113] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0062.113] lstrlenW (lpString=".bz2") returned 4 [0062.113] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0062.113] lstrlenW (lpString=".7z") returned 3 [0062.113] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0062.113] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0062.113] lstrlenW (lpString=".dbf") returned 4 [0062.113] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0062.113] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0062.113] lstrlenW (lpString=".1cd") returned 4 [0062.113] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0062.113] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0062.114] lstrlenW (lpString=".jpg") returned 4 [0062.114] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0062.114] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0062.114] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0062.114] lstrlenW (lpString=".doc") returned 4 [0062.114] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0062.114] lstrlenW (lpString=".docx") returned 5 [0062.114] lstrcmpiW (lpString1=".docx", lpString2="G.XML") returned -1 [0062.114] lstrlenW (lpString=".pdf") returned 4 [0062.114] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0062.114] lstrlenW (lpString=".xls") returned 4 [0062.114] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0062.114] lstrlenW (lpString=".xlsx") returned 5 [0062.114] lstrcmpiW (lpString1=".xlsx", lpString2="G.XML") returned -1 [0062.114] lstrlenW (lpString=".ppt") returned 4 [0062.114] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0062.114] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0062.114] lstrlenW (lpString=".zip") returned 4 [0062.114] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0062.114] lstrlenW (lpString=".rar") returned 4 [0062.114] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0062.114] lstrlenW (lpString=".bz2") returned 4 [0062.114] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0062.114] lstrlenW (lpString=".7z") returned 3 [0062.114] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0062.115] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0062.115] lstrlenW (lpString=".dbf") returned 4 [0062.115] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0062.115] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0062.115] lstrlenW (lpString=".1cd") returned 4 [0062.115] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0062.115] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0062.115] lstrlenW (lpString=".jpg") returned 4 [0062.115] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0062.127] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0062.127] lstrlenW (lpString="Office32MUI.XML") returned 15 [0062.127] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0062.154] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=1383) returned 1 [0062.154] CloseHandle (hObject=0x1ec) returned 1 [0062.154] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml")) returned 0x20 [0062.154] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0062.154] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0062.154] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0062.155] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0062.155] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0062.192] GetLastError () returned 0x0 [0062.192] ReadFile (in: hFile=0x1ec, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x567, lpOverlapped=0x0) returned 1 [0062.194] WriteFile (in: hFile=0x21c, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x570, lpOverlapped=0x0) returned 1 [0062.196] ReadFile (in: hFile=0x1ec, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0062.196] WriteFile (in: hFile=0x21c, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xf2, lpOverlapped=0x0) returned 1 [0062.196] SetEndOfFile (hFile=0x21c) returned 1 [0062.196] CloseHandle (hObject=0x21c) returned 1 [0062.197] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0062.197] SetEndOfFile (hFile=0x1ec) returned 1 [0062.198] CloseHandle (hObject=0x1ec) returned 1 [0062.198] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0062.198] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml")) returned 1 [0062.199] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0062.199] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0062.199] lstrlenW (lpString=".doc") returned 4 [0062.199] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0062.199] lstrlenW (lpString=".docx") returned 5 [0062.199] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0062.199] lstrlenW (lpString=".pdf") returned 4 [0062.199] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0062.199] lstrlenW (lpString=".xls") returned 4 [0062.199] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0062.199] lstrlenW (lpString=".xlsx") returned 5 [0062.199] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0062.199] lstrlenW (lpString=".ppt") returned 4 [0062.199] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0062.199] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0062.199] lstrlenW (lpString=".zip") returned 4 [0062.199] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0062.199] lstrlenW (lpString=".rar") returned 4 [0062.199] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0062.199] lstrlenW (lpString=".bz2") returned 4 [0062.199] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0062.199] lstrlenW (lpString=".7z") returned 3 [0062.199] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0062.199] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0062.199] lstrlenW (lpString=".dbf") returned 4 [0062.199] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0062.199] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0062.199] lstrlenW (lpString=".1cd") returned 4 [0062.199] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0062.200] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0062.200] lstrlenW (lpString=".jpg") returned 4 [0062.200] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0062.200] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0062.200] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0062.200] lstrlenW (lpString=".doc") returned 4 [0062.200] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0062.200] lstrlenW (lpString=".docx") returned 5 [0062.200] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0062.200] lstrlenW (lpString=".pdf") returned 4 [0062.200] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0062.200] lstrlenW (lpString=".xls") returned 4 [0062.200] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0062.200] lstrlenW (lpString=".xlsx") returned 5 [0062.200] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0062.200] lstrlenW (lpString=".ppt") returned 4 [0062.200] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0062.200] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0062.200] lstrlenW (lpString=".zip") returned 4 [0062.200] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0062.200] lstrlenW (lpString=".rar") returned 4 [0062.200] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0062.200] lstrlenW (lpString=".bz2") returned 4 [0062.200] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0062.200] lstrlenW (lpString=".7z") returned 3 [0062.200] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0062.201] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0062.201] lstrlenW (lpString=".dbf") returned 4 [0062.201] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0062.201] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0062.201] lstrlenW (lpString=".1cd") returned 4 [0062.201] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0062.201] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0062.201] lstrlenW (lpString=".jpg") returned 4 [0062.201] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0062.201] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0062.201] lstrlenW (lpString="OutlookMUI.XML") returned 14 [0062.201] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0062.202] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=3186) returned 1 [0062.202] CloseHandle (hObject=0x1ec) returned 1 [0062.202] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml")) returned 0x20 [0062.202] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0062.202] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0062.202] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0062.202] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0062.202] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0062.204] GetLastError () returned 0x0 [0062.204] ReadFile (in: hFile=0x1ec, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0xc72, lpOverlapped=0x0) returned 1 [0062.206] WriteFile (in: hFile=0x218, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0xc80, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xc80, lpOverlapped=0x0) returned 1 [0062.207] ReadFile (in: hFile=0x1ec, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0062.207] WriteFile (in: hFile=0x218, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0062.207] SetEndOfFile (hFile=0x218) returned 1 [0062.207] CloseHandle (hObject=0x218) returned 1 [0062.211] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0062.211] SetEndOfFile (hFile=0x1ec) returned 1 [0062.212] CloseHandle (hObject=0x1ec) returned 1 [0062.212] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0062.212] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml")) returned 1 [0062.212] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0062.212] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0062.213] lstrlenW (lpString=".doc") returned 4 [0062.213] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0062.213] lstrlenW (lpString=".docx") returned 5 [0062.213] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0062.213] lstrlenW (lpString=".pdf") returned 4 [0062.213] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0062.213] lstrlenW (lpString=".xls") returned 4 [0062.213] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0062.213] lstrlenW (lpString=".xlsx") returned 5 [0062.213] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0062.213] lstrlenW (lpString=".ppt") returned 4 [0062.213] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0062.213] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0062.213] lstrlenW (lpString=".zip") returned 4 [0062.213] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0062.213] lstrlenW (lpString=".rar") returned 4 [0062.213] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0062.213] lstrlenW (lpString=".bz2") returned 4 [0062.213] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0062.214] lstrlenW (lpString=".7z") returned 3 [0062.214] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0062.214] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0062.214] lstrlenW (lpString=".dbf") returned 4 [0062.214] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0062.214] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0062.214] lstrlenW (lpString=".1cd") returned 4 [0062.214] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0062.214] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0062.214] lstrlenW (lpString=".jpg") returned 4 [0062.214] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0062.214] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0062.214] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0062.214] lstrlenW (lpString=".doc") returned 4 [0062.214] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0062.214] lstrlenW (lpString=".docx") returned 5 [0062.214] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0062.214] lstrlenW (lpString=".pdf") returned 4 [0062.214] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0062.214] lstrlenW (lpString=".xls") returned 4 [0062.214] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0062.214] lstrlenW (lpString=".xlsx") returned 5 [0062.214] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0062.214] lstrlenW (lpString=".ppt") returned 4 [0062.214] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0062.214] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0062.214] lstrlenW (lpString=".zip") returned 4 [0062.214] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0062.214] lstrlenW (lpString=".rar") returned 4 [0062.215] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0062.215] lstrlenW (lpString=".bz2") returned 4 [0062.215] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0062.215] lstrlenW (lpString=".7z") returned 3 [0062.215] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0062.215] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0062.215] lstrlenW (lpString=".dbf") returned 4 [0062.215] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0062.215] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0062.215] lstrlenW (lpString=".1cd") returned 4 [0062.215] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0062.215] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0062.215] lstrlenW (lpString=".jpg") returned 4 [0062.215] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0062.215] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0062.215] lstrlenW (lpString="SETUP.XML") returned 9 [0062.215] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0062.314] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=4207) returned 1 [0062.314] CloseHandle (hObject=0x1ec) returned 1 [0062.314] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml")) returned 0x20 [0062.314] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0062.314] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0062.314] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0062.315] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0062.315] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0062.315] GetLastError () returned 0x0 [0062.315] ReadFile (in: hFile=0x1ec, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x106f, lpOverlapped=0x0) returned 1 [0062.365] WriteFile (in: hFile=0x188, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0x1070, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x1070, lpOverlapped=0x0) returned 1 [0062.366] ReadFile (in: hFile=0x1ec, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0062.366] WriteFile (in: hFile=0x188, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0062.367] SetEndOfFile (hFile=0x188) returned 1 [0062.367] CloseHandle (hObject=0x188) returned 1 [0062.368] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0062.368] SetEndOfFile (hFile=0x1ec) returned 1 [0062.368] CloseHandle (hObject=0x1ec) returned 1 [0062.368] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0062.369] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml")) returned 1 [0062.369] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0062.369] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0062.369] lstrlenW (lpString=".doc") returned 4 [0062.369] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0062.369] lstrlenW (lpString=".docx") returned 5 [0062.369] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0062.369] lstrlenW (lpString=".pdf") returned 4 [0062.369] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0062.369] lstrlenW (lpString=".xls") returned 4 [0062.369] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0062.369] lstrlenW (lpString=".xlsx") returned 5 [0062.369] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0062.369] lstrlenW (lpString=".ppt") returned 4 [0062.369] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0062.369] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0062.369] lstrlenW (lpString=".zip") returned 4 [0062.369] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0062.370] lstrlenW (lpString=".rar") returned 4 [0062.370] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0062.370] lstrlenW (lpString=".bz2") returned 4 [0062.370] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0062.370] lstrlenW (lpString=".7z") returned 3 [0062.370] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0062.370] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0062.370] lstrlenW (lpString=".dbf") returned 4 [0062.370] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0062.370] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0062.370] lstrlenW (lpString=".1cd") returned 4 [0062.370] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0062.370] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0062.370] lstrlenW (lpString=".jpg") returned 4 [0062.370] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0062.370] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0062.370] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0062.370] lstrlenW (lpString=".doc") returned 4 [0062.370] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0062.370] lstrlenW (lpString=".docx") returned 5 [0062.370] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0062.370] lstrlenW (lpString=".pdf") returned 4 [0062.370] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0062.370] lstrlenW (lpString=".xls") returned 4 [0062.370] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0062.370] lstrlenW (lpString=".xlsx") returned 5 [0062.370] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0062.370] lstrlenW (lpString=".ppt") returned 4 [0062.371] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0062.371] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0062.371] lstrlenW (lpString=".zip") returned 4 [0062.371] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0062.371] lstrlenW (lpString=".rar") returned 4 [0062.371] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0062.371] lstrlenW (lpString=".bz2") returned 4 [0062.371] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0062.371] lstrlenW (lpString=".7z") returned 3 [0062.371] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0062.371] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0062.371] lstrlenW (lpString=".dbf") returned 4 [0062.371] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0062.371] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0062.371] lstrlenW (lpString=".1cd") returned 4 [0062.371] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0062.371] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0062.371] lstrlenW (lpString=".jpg") returned 4 [0062.371] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0062.371] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0062.371] lstrlenW (lpString="SETUP.XML") returned 9 [0062.371] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0062.390] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=16683) returned 1 [0062.390] CloseHandle (hObject=0x19c) returned 1 [0062.404] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml")) returned 0x20 [0062.404] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0062.404] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0062.404] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0062.404] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0062.404] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0062.930] GetLastError () returned 0x0 [0062.930] ReadFile (in: hFile=0x188, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x412b, lpOverlapped=0x0) returned 1 [0062.939] WriteFile (in: hFile=0x198, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0x4130, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x4130, lpOverlapped=0x0) returned 1 [0063.982] ReadFile (in: hFile=0x188, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0063.982] WriteFile (in: hFile=0x198, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0063.982] SetEndOfFile (hFile=0x198) returned 1 [0063.982] CloseHandle (hObject=0x198) returned 1 [0063.983] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0063.983] SetEndOfFile (hFile=0x188) returned 1 [0064.369] CloseHandle (hObject=0x188) returned 1 [0064.369] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0064.369] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml")) returned 1 [0064.370] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0064.370] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0064.370] lstrlenW (lpString=".doc") returned 4 [0064.370] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0064.370] lstrlenW (lpString=".docx") returned 5 [0064.370] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0064.370] lstrlenW (lpString=".pdf") returned 4 [0064.370] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0064.370] lstrlenW (lpString=".xls") returned 4 [0064.370] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0064.370] lstrlenW (lpString=".xlsx") returned 5 [0064.370] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0064.370] lstrlenW (lpString=".ppt") returned 4 [0064.370] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0064.370] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0064.370] lstrlenW (lpString=".zip") returned 4 [0064.370] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0064.370] lstrlenW (lpString=".rar") returned 4 [0064.370] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0064.370] lstrlenW (lpString=".bz2") returned 4 [0064.370] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0064.370] lstrlenW (lpString=".7z") returned 3 [0064.370] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0064.370] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0064.370] lstrlenW (lpString=".dbf") returned 4 [0064.370] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0064.370] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0064.370] lstrlenW (lpString=".1cd") returned 4 [0064.370] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0064.371] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0064.371] lstrlenW (lpString=".jpg") returned 4 [0064.371] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0064.371] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0064.371] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0064.371] lstrlenW (lpString=".doc") returned 4 [0064.371] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0064.371] lstrlenW (lpString=".docx") returned 5 [0064.371] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0064.371] lstrlenW (lpString=".pdf") returned 4 [0064.371] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0064.371] lstrlenW (lpString=".xls") returned 4 [0064.371] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0064.371] lstrlenW (lpString=".xlsx") returned 5 [0064.371] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0064.371] lstrlenW (lpString=".ppt") returned 4 [0064.371] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0064.371] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0064.371] lstrlenW (lpString=".zip") returned 4 [0064.371] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0064.371] lstrlenW (lpString=".rar") returned 4 [0064.371] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0064.371] lstrlenW (lpString=".bz2") returned 4 [0064.371] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0064.371] lstrlenW (lpString=".7z") returned 3 [0064.371] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0064.371] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0064.371] lstrlenW (lpString=".dbf") returned 4 [0064.371] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0064.371] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0064.371] lstrlenW (lpString=".1cd") returned 4 [0064.371] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0064.371] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0064.372] lstrlenW (lpString=".jpg") returned 4 [0064.372] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0064.372] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0064.372] lstrlenW (lpString="VisiorWW.XML") returned 12 [0064.372] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0064.396] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=8723) returned 1 [0064.396] CloseHandle (hObject=0x218) returned 1 [0064.396] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml")) returned 0x20 [0064.396] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0064.396] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0064.396] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0064.396] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0064.396] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0064.551] GetLastError () returned 0x0 [0064.551] ReadFile (in: hFile=0x218, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x2213, lpOverlapped=0x0) returned 1 [0064.565] WriteFile (in: hFile=0x198, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0x2220, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x2220, lpOverlapped=0x0) returned 1 [0064.566] ReadFile (in: hFile=0x218, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0064.566] WriteFile (in: hFile=0x198, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0064.566] SetEndOfFile (hFile=0x198) returned 1 [0064.566] CloseHandle (hObject=0x198) returned 1 [0064.567] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0064.567] SetEndOfFile (hFile=0x218) returned 1 [0064.568] CloseHandle (hObject=0x218) returned 1 [0064.568] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0064.568] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml")) returned 1 [0064.568] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0064.568] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0064.568] lstrlenW (lpString=".doc") returned 4 [0064.568] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0064.568] lstrlenW (lpString=".docx") returned 5 [0064.569] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0064.569] lstrlenW (lpString=".pdf") returned 4 [0064.569] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0064.569] lstrlenW (lpString=".xls") returned 4 [0064.569] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0064.569] lstrlenW (lpString=".xlsx") returned 5 [0064.569] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0064.569] lstrlenW (lpString=".ppt") returned 4 [0064.569] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0064.572] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0064.572] lstrlenW (lpString=".zip") returned 4 [0064.572] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0064.572] lstrlenW (lpString=".rar") returned 4 [0064.572] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0064.572] lstrlenW (lpString=".bz2") returned 4 [0064.572] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0064.572] lstrlenW (lpString=".7z") returned 3 [0064.573] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0064.573] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0064.573] lstrlenW (lpString=".dbf") returned 4 [0064.573] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0064.573] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0064.573] lstrlenW (lpString=".1cd") returned 4 [0064.573] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0064.573] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0064.573] lstrlenW (lpString=".jpg") returned 4 [0064.573] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0064.573] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0064.573] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0064.573] lstrlenW (lpString=".doc") returned 4 [0064.573] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0064.573] lstrlenW (lpString=".docx") returned 5 [0064.573] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0064.573] lstrlenW (lpString=".pdf") returned 4 [0064.573] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0064.573] lstrlenW (lpString=".xls") returned 4 [0064.573] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0064.573] lstrlenW (lpString=".xlsx") returned 5 [0064.573] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0064.573] lstrlenW (lpString=".ppt") returned 4 [0064.573] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0064.573] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0064.573] lstrlenW (lpString=".zip") returned 4 [0064.573] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0064.574] lstrlenW (lpString=".rar") returned 4 [0064.574] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0064.574] lstrlenW (lpString=".bz2") returned 4 [0064.574] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0064.574] lstrlenW (lpString=".7z") returned 3 [0064.574] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0064.574] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0064.574] lstrlenW (lpString=".dbf") returned 4 [0064.574] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0064.574] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0064.574] lstrlenW (lpString=".1cd") returned 4 [0064.574] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0064.574] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0064.574] lstrlenW (lpString=".jpg") returned 4 [0064.574] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0064.574] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0064.574] lstrlenW (lpString="WordMUI.XML") returned 11 [0064.574] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0064.575] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=1800) returned 1 [0064.575] CloseHandle (hObject=0x218) returned 1 [0064.579] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml")) returned 0x20 [0064.579] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0064.580] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0064.580] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0064.580] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0064.580] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0065.228] GetLastError () returned 0x0 [0065.228] ReadFile (in: hFile=0x218, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x708, lpOverlapped=0x0) returned 1 [0065.237] WriteFile (in: hFile=0x1ac, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0x710, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x710, lpOverlapped=0x0) returned 1 [0065.238] ReadFile (in: hFile=0x218, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0065.238] WriteFile (in: hFile=0x1ac, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xea, lpOverlapped=0x0) returned 1 [0065.238] SetEndOfFile (hFile=0x1ac) returned 1 [0065.238] CloseHandle (hObject=0x1ac) returned 1 [0065.238] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0065.238] SetEndOfFile (hFile=0x218) returned 1 [0065.239] CloseHandle (hObject=0x218) returned 1 [0065.239] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0065.240] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml")) returned 1 [0065.240] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0065.240] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0065.240] lstrlenW (lpString=".doc") returned 4 [0065.240] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0065.240] lstrlenW (lpString=".docx") returned 5 [0065.240] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0065.240] lstrlenW (lpString=".pdf") returned 4 [0065.240] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0065.240] lstrlenW (lpString=".xls") returned 4 [0065.240] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0065.240] lstrlenW (lpString=".xlsx") returned 5 [0065.240] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0065.240] lstrlenW (lpString=".ppt") returned 4 [0065.240] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0065.240] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0065.241] lstrlenW (lpString=".zip") returned 4 [0065.241] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0065.241] lstrlenW (lpString=".rar") returned 4 [0065.241] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0065.241] lstrlenW (lpString=".bz2") returned 4 [0065.241] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0065.241] lstrlenW (lpString=".7z") returned 3 [0065.241] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0065.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0065.241] lstrlenW (lpString=".dbf") returned 4 [0065.241] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0065.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0065.241] lstrlenW (lpString=".1cd") returned 4 [0065.241] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0065.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0065.241] lstrlenW (lpString=".jpg") returned 4 [0065.241] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0065.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0065.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0065.241] lstrlenW (lpString=".doc") returned 4 [0065.241] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0065.241] lstrlenW (lpString=".docx") returned 5 [0065.241] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0065.241] lstrlenW (lpString=".pdf") returned 4 [0065.241] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0065.241] lstrlenW (lpString=".xls") returned 4 [0065.242] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0065.242] lstrlenW (lpString=".xlsx") returned 5 [0065.242] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0065.242] lstrlenW (lpString=".ppt") returned 4 [0065.242] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0065.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0065.242] lstrlenW (lpString=".zip") returned 4 [0065.242] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0065.242] lstrlenW (lpString=".rar") returned 4 [0065.242] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0065.242] lstrlenW (lpString=".bz2") returned 4 [0065.242] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0065.242] lstrlenW (lpString=".7z") returned 3 [0065.242] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0065.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0065.242] lstrlenW (lpString=".dbf") returned 4 [0065.242] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0065.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0065.242] lstrlenW (lpString=".1cd") returned 4 [0065.242] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0065.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0065.242] lstrlenW (lpString=".jpg") returned 4 [0065.242] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0065.242] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0065.243] lstrlenW (lpString="PHONE.XML") returned 9 [0065.243] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0066.976] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=1844) returned 1 [0066.976] CloseHandle (hObject=0x1f4) returned 1 [0066.976] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml")) returned 0x20 [0066.976] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0066.976] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0066.976] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0066.977] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0066.977] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0066.977] GetLastError () returned 0x0 [0066.977] ReadFile (in: hFile=0x1f4, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x734, lpOverlapped=0x0) returned 1 [0066.980] WriteFile (in: hFile=0x218, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0x740, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x740, lpOverlapped=0x0) returned 1 [0066.981] ReadFile (in: hFile=0x1f4, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0066.981] WriteFile (in: hFile=0x218, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0066.981] SetEndOfFile (hFile=0x218) returned 1 [0066.982] CloseHandle (hObject=0x218) returned 1 [0066.982] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0066.982] SetEndOfFile (hFile=0x1f4) returned 1 [0066.983] CloseHandle (hObject=0x1f4) returned 1 [0066.983] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0066.983] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml")) returned 1 [0066.984] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0066.984] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0066.984] lstrlenW (lpString=".doc") returned 4 [0066.984] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0066.984] lstrlenW (lpString=".docx") returned 5 [0066.984] lstrcmpiW (lpString1=".docx", lpString2="E.XML") returned -1 [0066.984] lstrlenW (lpString=".pdf") returned 4 [0066.984] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0066.984] lstrlenW (lpString=".xls") returned 4 [0066.984] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0066.984] lstrlenW (lpString=".xlsx") returned 5 [0066.984] lstrcmpiW (lpString1=".xlsx", lpString2="E.XML") returned -1 [0066.984] lstrlenW (lpString=".ppt") returned 4 [0066.984] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0066.984] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0066.984] lstrlenW (lpString=".zip") returned 4 [0066.984] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0066.984] lstrlenW (lpString=".rar") returned 4 [0066.984] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0066.984] lstrlenW (lpString=".bz2") returned 4 [0066.985] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0066.985] lstrlenW (lpString=".7z") returned 3 [0066.985] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0066.985] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0066.985] lstrlenW (lpString=".dbf") returned 4 [0066.985] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0066.985] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0066.985] lstrlenW (lpString=".1cd") returned 4 [0066.985] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0066.985] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0066.985] lstrlenW (lpString=".jpg") returned 4 [0066.985] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0066.985] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0066.985] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0066.985] lstrlenW (lpString=".doc") returned 4 [0066.985] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0066.985] lstrlenW (lpString=".docx") returned 5 [0066.985] lstrcmpiW (lpString1=".docx", lpString2="E.XML") returned -1 [0066.985] lstrlenW (lpString=".pdf") returned 4 [0066.985] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0066.985] lstrlenW (lpString=".xls") returned 4 [0066.985] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0066.985] lstrlenW (lpString=".xlsx") returned 5 [0066.985] lstrcmpiW (lpString1=".xlsx", lpString2="E.XML") returned -1 [0066.985] lstrlenW (lpString=".ppt") returned 4 [0066.985] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0066.986] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0066.986] lstrlenW (lpString=".zip") returned 4 [0066.986] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0066.986] lstrlenW (lpString=".rar") returned 4 [0066.986] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0066.986] lstrlenW (lpString=".bz2") returned 4 [0066.986] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0066.986] lstrlenW (lpString=".7z") returned 3 [0066.986] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0066.986] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0066.986] lstrlenW (lpString=".dbf") returned 4 [0066.986] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0066.986] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0066.986] lstrlenW (lpString=".1cd") returned 4 [0066.986] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0066.986] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0066.986] lstrlenW (lpString=".jpg") returned 4 [0066.986] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0066.986] lstrcmpiW (lpString1=".htm", lpString2=".bmd") returned 1 [0066.986] lstrlenW (lpString="Bears.htm") returned 9 [0066.987] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0066.989] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=255) returned 1 [0066.989] CloseHandle (hObject=0x1f4) returned 1 [0066.989] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm")) returned 0x20 [0066.989] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0066.989] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0066.989] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0066.989] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0066.989] lstrlenW (lpString=".doc") returned 4 [0066.989] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0066.989] lstrlenW (lpString=".docx") returned 5 [0066.989] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0066.989] lstrlenW (lpString=".pdf") returned 4 [0066.989] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0066.990] lstrlenW (lpString=".xls") returned 4 [0066.990] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0066.990] lstrlenW (lpString=".xlsx") returned 5 [0066.990] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0066.990] lstrlenW (lpString=".ppt") returned 4 [0066.990] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0066.990] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0066.990] lstrlenW (lpString=".zip") returned 4 [0066.990] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0066.990] lstrlenW (lpString=".rar") returned 4 [0066.990] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0066.990] lstrlenW (lpString=".bz2") returned 4 [0066.990] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0066.990] lstrlenW (lpString=".7z") returned 3 [0066.990] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0066.990] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0066.990] lstrlenW (lpString=".dbf") returned 4 [0066.990] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0066.990] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0066.990] lstrlenW (lpString=".1cd") returned 4 [0066.990] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0066.990] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0066.990] lstrlenW (lpString=".jpg") returned 4 [0066.990] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0066.990] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0066.991] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0066.991] lstrlenW (lpString=".doc") returned 4 [0066.991] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0066.991] lstrlenW (lpString=".docx") returned 5 [0066.991] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0066.991] lstrlenW (lpString=".pdf") returned 4 [0066.991] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0066.991] lstrlenW (lpString=".xls") returned 4 [0066.991] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0066.991] lstrlenW (lpString=".xlsx") returned 5 [0066.991] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0066.991] lstrlenW (lpString=".ppt") returned 4 [0066.991] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0066.991] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0066.991] lstrlenW (lpString=".zip") returned 4 [0066.991] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0066.991] lstrlenW (lpString=".rar") returned 4 [0066.991] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0066.991] lstrlenW (lpString=".bz2") returned 4 [0066.991] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0066.991] lstrlenW (lpString=".7z") returned 3 [0066.991] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0066.992] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0066.992] lstrlenW (lpString=".dbf") returned 4 [0066.992] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0066.992] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0066.992] lstrlenW (lpString=".1cd") returned 4 [0066.992] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0066.992] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0066.992] lstrlenW (lpString=".jpg") returned 4 [0066.992] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0066.992] lstrcmpiW (lpString1=".jpg", lpString2=".bmd") returned 1 [0066.992] lstrlenW (lpString="Bears.jpg") returned 9 [0066.992] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0066.993] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=1074) returned 1 [0066.993] CloseHandle (hObject=0x1f4) returned 1 [0066.993] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg")) returned 0x20 [0066.993] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0066.993] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0066.993] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0066.993] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0066.993] lstrlenW (lpString=".doc") returned 4 [0066.993] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0066.993] lstrlenW (lpString=".docx") returned 5 [0066.993] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0066.993] lstrlenW (lpString=".pdf") returned 4 [0066.993] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0066.993] lstrlenW (lpString=".xls") returned 4 [0066.993] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0066.994] lstrlenW (lpString=".xlsx") returned 5 [0066.994] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0066.994] lstrlenW (lpString=".ppt") returned 4 [0066.994] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0066.994] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0066.994] lstrlenW (lpString=".zip") returned 4 [0066.994] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0066.994] lstrlenW (lpString=".rar") returned 4 [0066.994] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0066.994] lstrlenW (lpString=".bz2") returned 4 [0066.994] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0066.994] lstrlenW (lpString=".7z") returned 3 [0066.994] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0066.994] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0066.994] lstrlenW (lpString=".dbf") returned 4 [0066.994] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0066.994] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0066.994] lstrlenW (lpString=".1cd") returned 4 [0066.994] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0066.994] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0066.994] lstrlenW (lpString=".jpg") returned 4 [0066.994] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0066.994] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0066.994] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0066.994] lstrlenW (lpString=".doc") returned 4 [0066.995] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0066.995] lstrlenW (lpString=".docx") returned 5 [0066.995] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0066.995] lstrlenW (lpString=".pdf") returned 4 [0066.995] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0066.995] lstrlenW (lpString=".xls") returned 4 [0066.995] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0066.995] lstrlenW (lpString=".xlsx") returned 5 [0066.995] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0066.995] lstrlenW (lpString=".ppt") returned 4 [0066.995] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0066.995] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0066.995] lstrlenW (lpString=".zip") returned 4 [0066.995] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0066.995] lstrlenW (lpString=".rar") returned 4 [0066.995] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0066.995] lstrlenW (lpString=".bz2") returned 4 [0066.995] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0066.995] lstrlenW (lpString=".7z") returned 3 [0066.995] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0066.995] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0066.995] lstrlenW (lpString=".dbf") returned 4 [0066.995] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0066.995] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0066.995] lstrlenW (lpString=".1cd") returned 4 [0066.995] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0066.995] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0066.996] lstrlenW (lpString=".jpg") returned 4 [0066.996] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0066.996] lstrcmpiW (lpString1=".jpg", lpString2=".bmd") returned 1 [0066.996] lstrlenW (lpString="Blue_Gradient.jpg") returned 17 [0066.996] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0066.997] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=2575) returned 1 [0066.997] CloseHandle (hObject=0x1f4) returned 1 [0066.997] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg")) returned 0x20 [0066.998] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0066.998] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0066.998] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0066.998] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0066.998] lstrlenW (lpString=".doc") returned 4 [0066.998] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0066.998] lstrlenW (lpString=".docx") returned 5 [0066.998] lstrcmpiW (lpString1=".docx", lpString2="t.jpg") returned -1 [0066.998] lstrlenW (lpString=".pdf") returned 4 [0066.998] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0066.998] lstrlenW (lpString=".xls") returned 4 [0066.998] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0066.998] lstrlenW (lpString=".xlsx") returned 5 [0066.998] lstrcmpiW (lpString1=".xlsx", lpString2="t.jpg") returned -1 [0066.998] lstrlenW (lpString=".ppt") returned 4 [0066.998] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0066.998] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0066.998] lstrlenW (lpString=".zip") returned 4 [0066.998] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0066.998] lstrlenW (lpString=".rar") returned 4 [0066.998] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0066.999] lstrlenW (lpString=".bz2") returned 4 [0066.999] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0066.999] lstrlenW (lpString=".7z") returned 3 [0066.999] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0066.999] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0066.999] lstrlenW (lpString=".dbf") returned 4 [0066.999] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0066.999] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0066.999] lstrlenW (lpString=".1cd") returned 4 [0066.999] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0066.999] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0066.999] lstrlenW (lpString=".jpg") returned 4 [0066.999] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0066.999] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0066.999] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0066.999] lstrlenW (lpString=".doc") returned 4 [0066.999] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0066.999] lstrlenW (lpString=".docx") returned 5 [0066.999] lstrcmpiW (lpString1=".docx", lpString2="t.jpg") returned -1 [0066.999] lstrlenW (lpString=".pdf") returned 4 [0066.999] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0066.999] lstrlenW (lpString=".xls") returned 4 [0066.999] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0066.999] lstrlenW (lpString=".xlsx") returned 5 [0066.999] lstrcmpiW (lpString1=".xlsx", lpString2="t.jpg") returned -1 [0067.000] lstrlenW (lpString=".ppt") returned 4 [0067.000] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0067.000] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0067.000] lstrlenW (lpString=".zip") returned 4 [0067.000] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0067.000] lstrlenW (lpString=".rar") returned 4 [0067.000] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0067.000] lstrlenW (lpString=".bz2") returned 4 [0067.000] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0067.000] lstrlenW (lpString=".7z") returned 3 [0067.000] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0067.000] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0067.000] lstrlenW (lpString=".dbf") returned 4 [0067.000] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0067.000] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0067.000] lstrlenW (lpString=".1cd") returned 4 [0067.000] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0067.000] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0067.000] lstrlenW (lpString=".jpg") returned 4 [0067.000] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0067.000] lstrcmpiW (lpString1=".gif", lpString2=".bmd") returned 1 [0067.001] lstrlenW (lpString="Cave_Drawings.gif") returned 17 [0067.001] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\cave_drawings.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0067.001] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=4587) returned 1 [0067.001] CloseHandle (hObject=0x1f4) returned 1 [0067.001] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\cave_drawings.gif")) returned 0x20 [0067.001] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\cave_drawings.gif.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0067.001] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\cave_drawings.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0067.001] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0067.002] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0067.002] lstrlenW (lpString=".doc") returned 4 [0067.002] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0067.002] lstrlenW (lpString=".docx") returned 5 [0067.002] lstrcmpiW (lpString1=".docx", lpString2="s.gif") returned -1 [0067.002] lstrlenW (lpString=".pdf") returned 4 [0067.002] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0067.002] lstrlenW (lpString=".xls") returned 4 [0067.002] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0067.002] lstrlenW (lpString=".xlsx") returned 5 [0067.002] lstrcmpiW (lpString1=".xlsx", lpString2="s.gif") returned -1 [0067.002] lstrlenW (lpString=".ppt") returned 4 [0067.002] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0067.002] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0067.002] lstrlenW (lpString=".zip") returned 4 [0067.002] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0067.002] lstrlenW (lpString=".rar") returned 4 [0067.002] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0067.002] lstrlenW (lpString=".bz2") returned 4 [0067.002] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0067.002] lstrlenW (lpString=".7z") returned 3 [0067.002] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0067.002] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0067.002] lstrlenW (lpString=".dbf") returned 4 [0067.002] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0067.002] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0067.002] lstrlenW (lpString=".1cd") returned 4 [0067.002] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0067.003] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0067.003] lstrlenW (lpString=".jpg") returned 4 [0067.003] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0067.003] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0067.003] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0067.003] lstrlenW (lpString=".doc") returned 4 [0067.003] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0067.003] lstrlenW (lpString=".docx") returned 5 [0067.003] lstrcmpiW (lpString1=".docx", lpString2="s.gif") returned -1 [0067.003] lstrlenW (lpString=".pdf") returned 4 [0067.003] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0067.003] lstrlenW (lpString=".xls") returned 4 [0067.003] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0067.003] lstrlenW (lpString=".xlsx") returned 5 [0067.003] lstrcmpiW (lpString1=".xlsx", lpString2="s.gif") returned -1 [0067.003] lstrlenW (lpString=".ppt") returned 4 [0067.003] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0067.003] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0067.003] lstrlenW (lpString=".zip") returned 4 [0067.003] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0067.003] lstrlenW (lpString=".rar") returned 4 [0067.003] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0067.003] lstrlenW (lpString=".bz2") returned 4 [0067.003] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0067.003] lstrlenW (lpString=".7z") returned 3 [0067.004] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0067.004] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0067.004] lstrlenW (lpString=".dbf") returned 4 [0067.004] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0067.004] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0067.004] lstrlenW (lpString=".1cd") returned 4 [0067.004] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0067.004] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0067.004] lstrlenW (lpString=".jpg") returned 4 [0067.004] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0067.004] lstrcmpiW (lpString1=".gif", lpString2=".bmd") returned 1 [0067.004] lstrlenW (lpString="Connectivity.gif") returned 16 [0067.004] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\connectivity.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0067.005] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=2319) returned 1 [0067.005] CloseHandle (hObject=0x1f4) returned 1 [0067.005] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\connectivity.gif")) returned 0x20 [0067.005] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\connectivity.gif.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0067.005] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\connectivity.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0067.005] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0067.005] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0067.005] lstrlenW (lpString=".doc") returned 4 [0067.005] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0067.005] lstrlenW (lpString=".docx") returned 5 [0067.005] lstrcmpiW (lpString1=".docx", lpString2="y.gif") returned -1 [0067.005] lstrlenW (lpString=".pdf") returned 4 [0067.005] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0067.005] lstrlenW (lpString=".xls") returned 4 [0067.005] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0067.005] lstrlenW (lpString=".xlsx") returned 5 [0067.005] lstrcmpiW (lpString1=".xlsx", lpString2="y.gif") returned -1 [0067.005] lstrlenW (lpString=".ppt") returned 4 [0067.005] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0067.006] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0067.006] lstrlenW (lpString=".zip") returned 4 [0067.006] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0067.006] lstrlenW (lpString=".rar") returned 4 [0067.006] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0067.006] lstrlenW (lpString=".bz2") returned 4 [0067.006] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0067.006] lstrlenW (lpString=".7z") returned 3 [0067.006] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0067.006] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0067.006] lstrlenW (lpString=".dbf") returned 4 [0067.006] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0067.006] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0067.006] lstrlenW (lpString=".1cd") returned 4 [0067.006] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0067.006] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0067.006] lstrlenW (lpString=".jpg") returned 4 [0067.006] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0067.006] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0067.006] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0067.006] lstrlenW (lpString=".doc") returned 4 [0067.006] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0067.006] lstrlenW (lpString=".docx") returned 5 [0067.006] lstrcmpiW (lpString1=".docx", lpString2="y.gif") returned -1 [0067.006] lstrlenW (lpString=".pdf") returned 4 [0067.006] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0067.007] lstrlenW (lpString=".xls") returned 4 [0067.007] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0067.007] lstrlenW (lpString=".xlsx") returned 5 [0067.007] lstrcmpiW (lpString1=".xlsx", lpString2="y.gif") returned -1 [0067.007] lstrlenW (lpString=".ppt") returned 4 [0067.007] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0067.007] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0067.007] lstrlenW (lpString=".zip") returned 4 [0067.007] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0067.007] lstrlenW (lpString=".rar") returned 4 [0067.007] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0067.007] lstrlenW (lpString=".bz2") returned 4 [0067.007] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0067.007] lstrlenW (lpString=".7z") returned 3 [0067.007] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0067.007] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0067.007] lstrlenW (lpString=".dbf") returned 4 [0067.007] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0067.007] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0067.007] lstrlenW (lpString=".1cd") returned 4 [0067.007] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0067.007] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0067.007] lstrlenW (lpString=".jpg") returned 4 [0067.007] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0067.008] lstrcmpiW (lpString1=".ini", lpString2=".bmd") returned 1 [0067.008] lstrlenW (lpString="Desktop.ini") returned 11 [0067.008] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0067.008] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=645) returned 1 [0067.008] CloseHandle (hObject=0x1f4) returned 1 [0067.008] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini")) returned 0x26 [0067.008] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0067.009] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0067.009] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.009] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.009] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0067.009] GetLastError () returned 0x0 [0067.009] ReadFile (in: hFile=0x1f4, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x285, lpOverlapped=0x0) returned 1 [0067.011] WriteFile (in: hFile=0x218, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0x290, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x290, lpOverlapped=0x0) returned 1 [0067.012] ReadFile (in: hFile=0x1f4, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0067.012] WriteFile (in: hFile=0x218, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xea, lpOverlapped=0x0) returned 1 [0067.013] SetEndOfFile (hFile=0x218) returned 1 [0067.013] CloseHandle (hObject=0x218) returned 1 [0067.013] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.013] SetEndOfFile (hFile=0x1f4) returned 1 [0067.014] CloseHandle (hObject=0x1f4) returned 1 [0067.014] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x26) returned 1 [0067.015] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini")) returned 1 [0067.015] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0067.015] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0067.015] lstrlenW (lpString=".doc") returned 4 [0067.015] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0067.015] lstrlenW (lpString=".docx") returned 5 [0067.015] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0067.015] lstrlenW (lpString=".pdf") returned 4 [0067.015] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0067.015] lstrlenW (lpString=".xls") returned 4 [0067.015] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0067.015] lstrlenW (lpString=".xlsx") returned 5 [0067.015] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0067.015] lstrlenW (lpString=".ppt") returned 4 [0067.015] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0067.015] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0067.015] lstrlenW (lpString=".zip") returned 4 [0067.016] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0067.016] lstrlenW (lpString=".rar") returned 4 [0067.016] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0067.016] lstrlenW (lpString=".bz2") returned 4 [0067.016] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0067.016] lstrlenW (lpString=".7z") returned 3 [0067.016] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0067.016] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0067.016] lstrlenW (lpString=".dbf") returned 4 [0067.016] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0067.016] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0067.016] lstrlenW (lpString=".1cd") returned 4 [0067.016] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0067.016] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0067.016] lstrlenW (lpString=".jpg") returned 4 [0067.016] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0067.016] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0067.016] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0067.016] lstrlenW (lpString=".doc") returned 4 [0067.016] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0067.016] lstrlenW (lpString=".docx") returned 5 [0067.017] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0067.017] lstrlenW (lpString=".pdf") returned 4 [0067.017] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0067.017] lstrlenW (lpString=".xls") returned 4 [0067.017] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0067.017] lstrlenW (lpString=".xlsx") returned 5 [0067.017] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0067.017] lstrlenW (lpString=".ppt") returned 4 [0067.017] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0067.017] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0067.017] lstrlenW (lpString=".zip") returned 4 [0067.017] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0067.017] lstrlenW (lpString=".rar") returned 4 [0067.017] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0067.017] lstrlenW (lpString=".bz2") returned 4 [0067.017] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0067.017] lstrlenW (lpString=".7z") returned 3 [0067.017] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0067.017] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0067.017] lstrlenW (lpString=".dbf") returned 4 [0067.017] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0067.018] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0067.018] lstrlenW (lpString=".1cd") returned 4 [0067.018] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0067.018] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0067.018] lstrlenW (lpString=".jpg") returned 4 [0067.018] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0067.018] lstrcmpiW (lpString1=".emf", lpString2=".bmd") returned 1 [0067.018] lstrlenW (lpString="Dotted_Lines.emf") returned 16 [0067.018] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\dotted_lines.emf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0067.019] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=3792) returned 1 [0067.019] CloseHandle (hObject=0x1f4) returned 1 [0067.019] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\dotted_lines.emf")) returned 0x20 [0067.019] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\dotted_lines.emf.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0067.019] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\dotted_lines.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0067.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0067.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0067.019] lstrlenW (lpString=".doc") returned 4 [0067.020] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0067.020] lstrlenW (lpString=".docx") returned 5 [0067.020] lstrcmpiW (lpString1=".docx", lpString2="s.emf") returned -1 [0067.020] lstrlenW (lpString=".pdf") returned 4 [0067.020] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0067.020] lstrlenW (lpString=".xls") returned 4 [0067.020] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0067.020] lstrlenW (lpString=".xlsx") returned 5 [0067.020] lstrcmpiW (lpString1=".xlsx", lpString2="s.emf") returned -1 [0067.020] lstrlenW (lpString=".ppt") returned 4 [0067.020] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0067.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0067.020] lstrlenW (lpString=".zip") returned 4 [0067.020] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0067.020] lstrlenW (lpString=".rar") returned 4 [0067.020] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0067.020] lstrlenW (lpString=".bz2") returned 4 [0067.020] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0067.020] lstrlenW (lpString=".7z") returned 3 [0067.020] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0067.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0067.021] lstrlenW (lpString=".dbf") returned 4 [0067.021] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0067.021] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0067.021] lstrlenW (lpString=".1cd") returned 4 [0067.021] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0067.021] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0067.021] lstrlenW (lpString=".jpg") returned 4 [0067.021] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0067.021] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0067.021] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0067.021] lstrlenW (lpString=".doc") returned 4 [0067.021] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0067.021] lstrlenW (lpString=".docx") returned 5 [0067.021] lstrcmpiW (lpString1=".docx", lpString2="s.emf") returned -1 [0067.021] lstrlenW (lpString=".pdf") returned 4 [0067.021] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0067.021] lstrlenW (lpString=".xls") returned 4 [0067.021] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0067.021] lstrlenW (lpString=".xlsx") returned 5 [0067.021] lstrcmpiW (lpString1=".xlsx", lpString2="s.emf") returned -1 [0067.021] lstrlenW (lpString=".ppt") returned 4 [0067.021] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0067.022] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0067.022] lstrlenW (lpString=".zip") returned 4 [0067.022] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0067.022] lstrlenW (lpString=".rar") returned 4 [0067.022] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0067.022] lstrlenW (lpString=".bz2") returned 4 [0067.022] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0067.022] lstrlenW (lpString=".7z") returned 3 [0067.022] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0067.022] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0067.022] lstrlenW (lpString=".dbf") returned 4 [0067.022] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0067.022] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0067.022] lstrlenW (lpString=".1cd") returned 4 [0067.022] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0067.022] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0067.022] lstrlenW (lpString=".jpg") returned 4 [0067.022] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0067.023] lstrcmpiW (lpString1=".htm", lpString2=".bmd") returned 1 [0067.023] lstrlenW (lpString="Garden.htm") returned 10 [0067.023] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0067.023] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=231) returned 1 [0067.023] CloseHandle (hObject=0x1f4) returned 1 [0067.023] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm")) returned 0x20 [0067.023] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0067.024] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0067.024] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0067.024] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0067.024] lstrlenW (lpString=".doc") returned 4 [0067.024] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0067.024] lstrlenW (lpString=".docx") returned 5 [0067.024] lstrcmpiW (lpString1=".docx", lpString2="n.htm") returned -1 [0067.024] lstrlenW (lpString=".pdf") returned 4 [0067.024] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0067.024] lstrlenW (lpString=".xls") returned 4 [0067.024] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0067.024] lstrlenW (lpString=".xlsx") returned 5 [0067.024] lstrcmpiW (lpString1=".xlsx", lpString2="n.htm") returned -1 [0067.024] lstrlenW (lpString=".ppt") returned 4 [0067.024] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0067.024] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0067.024] lstrlenW (lpString=".zip") returned 4 [0067.024] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0067.024] lstrlenW (lpString=".rar") returned 4 [0067.024] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0067.024] lstrlenW (lpString=".bz2") returned 4 [0067.024] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0067.025] lstrlenW (lpString=".7z") returned 3 [0067.025] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0067.025] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0067.025] lstrlenW (lpString=".dbf") returned 4 [0067.025] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0067.025] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0067.025] lstrlenW (lpString=".1cd") returned 4 [0067.025] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0067.025] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0067.025] lstrlenW (lpString=".jpg") returned 4 [0067.025] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0067.025] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0067.025] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0067.025] lstrlenW (lpString=".doc") returned 4 [0067.025] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0067.025] lstrlenW (lpString=".docx") returned 5 [0067.025] lstrcmpiW (lpString1=".docx", lpString2="n.htm") returned -1 [0067.025] lstrlenW (lpString=".pdf") returned 4 [0067.025] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0067.025] lstrlenW (lpString=".xls") returned 4 [0067.025] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0067.025] lstrlenW (lpString=".xlsx") returned 5 [0067.025] lstrcmpiW (lpString1=".xlsx", lpString2="n.htm") returned -1 [0067.025] lstrlenW (lpString=".ppt") returned 4 [0067.025] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0067.026] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0067.026] lstrlenW (lpString=".zip") returned 4 [0067.026] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0067.026] lstrlenW (lpString=".rar") returned 4 [0067.026] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0067.026] lstrlenW (lpString=".bz2") returned 4 [0067.026] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0067.026] lstrlenW (lpString=".7z") returned 3 [0067.026] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0067.026] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0067.026] lstrlenW (lpString=".dbf") returned 4 [0067.026] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0067.026] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0067.026] lstrlenW (lpString=".1cd") returned 4 [0067.026] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0067.026] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0067.026] lstrlenW (lpString=".jpg") returned 4 [0067.026] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0067.026] lstrcmpiW (lpString1=".jpg", lpString2=".bmd") returned 1 [0067.026] lstrlenW (lpString="Garden.jpg") returned 10 [0067.026] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0067.027] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=23871) returned 1 [0067.027] CloseHandle (hObject=0x1f4) returned 1 [0067.027] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg")) returned 0x20 [0067.027] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0067.027] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0067.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0067.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0067.028] lstrlenW (lpString=".doc") returned 4 [0067.028] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0067.028] lstrlenW (lpString=".docx") returned 5 [0067.028] lstrcmpiW (lpString1=".docx", lpString2="n.jpg") returned -1 [0067.028] lstrlenW (lpString=".pdf") returned 4 [0067.028] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0067.028] lstrlenW (lpString=".xls") returned 4 [0067.028] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0067.028] lstrlenW (lpString=".xlsx") returned 5 [0067.028] lstrcmpiW (lpString1=".xlsx", lpString2="n.jpg") returned -1 [0067.028] lstrlenW (lpString=".ppt") returned 4 [0067.028] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0067.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0067.028] lstrlenW (lpString=".zip") returned 4 [0067.028] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0067.028] lstrlenW (lpString=".rar") returned 4 [0067.028] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0067.028] lstrlenW (lpString=".bz2") returned 4 [0067.028] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0067.028] lstrlenW (lpString=".7z") returned 3 [0067.028] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0067.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0067.029] lstrlenW (lpString=".dbf") returned 4 [0067.029] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0067.029] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0067.029] lstrlenW (lpString=".1cd") returned 4 [0067.029] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0067.029] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0067.029] lstrlenW (lpString=".jpg") returned 4 [0067.029] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0067.029] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0067.029] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0067.029] lstrlenW (lpString=".doc") returned 4 [0067.029] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0067.029] lstrlenW (lpString=".docx") returned 5 [0067.029] lstrcmpiW (lpString1=".docx", lpString2="n.jpg") returned -1 [0067.029] lstrlenW (lpString=".pdf") returned 4 [0067.029] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0067.029] lstrlenW (lpString=".xls") returned 4 [0067.029] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0067.029] lstrlenW (lpString=".xlsx") returned 5 [0067.029] lstrcmpiW (lpString1=".xlsx", lpString2="n.jpg") returned -1 [0067.029] lstrlenW (lpString=".ppt") returned 4 [0067.029] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0067.029] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0067.029] lstrlenW (lpString=".zip") returned 4 [0067.029] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0067.030] lstrlenW (lpString=".rar") returned 4 [0067.030] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0067.030] lstrlenW (lpString=".bz2") returned 4 [0067.030] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0067.030] lstrlenW (lpString=".7z") returned 3 [0067.030] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0067.030] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0067.030] lstrlenW (lpString=".dbf") returned 4 [0067.030] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0067.030] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0067.030] lstrlenW (lpString=".1cd") returned 4 [0067.030] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0067.030] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0067.030] lstrlenW (lpString=".jpg") returned 4 [0067.030] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0067.030] lstrcmpiW (lpString1=".emf", lpString2=".bmd") returned 1 [0067.030] lstrlenW (lpString="Genko_1.emf") returned 11 [0067.030] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_1.emf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0067.032] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=5524) returned 1 [0067.032] CloseHandle (hObject=0x1f4) returned 1 [0067.032] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_1.emf")) returned 0x20 [0067.032] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_1.emf.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0067.032] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_1.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0067.032] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0067.032] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0067.032] lstrlenW (lpString=".doc") returned 4 [0067.032] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0067.032] lstrlenW (lpString=".docx") returned 5 [0067.032] lstrcmpiW (lpString1=".docx", lpString2="1.emf") returned -1 [0067.032] lstrlenW (lpString=".pdf") returned 4 [0067.032] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0067.032] lstrlenW (lpString=".xls") returned 4 [0067.033] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0067.033] lstrlenW (lpString=".xlsx") returned 5 [0067.033] lstrcmpiW (lpString1=".xlsx", lpString2="1.emf") returned -1 [0067.033] lstrlenW (lpString=".ppt") returned 4 [0067.033] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0067.033] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0067.033] lstrlenW (lpString=".zip") returned 4 [0067.033] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0067.033] lstrlenW (lpString=".rar") returned 4 [0067.033] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0067.033] lstrlenW (lpString=".bz2") returned 4 [0067.033] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0067.033] lstrlenW (lpString=".7z") returned 3 [0067.033] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0067.033] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0067.033] lstrlenW (lpString=".dbf") returned 4 [0067.033] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0067.033] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0067.033] lstrlenW (lpString=".1cd") returned 4 [0067.033] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0067.033] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0067.033] lstrlenW (lpString=".jpg") returned 4 [0067.033] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0067.033] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0067.033] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0067.034] lstrlenW (lpString=".doc") returned 4 [0067.034] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0067.034] lstrlenW (lpString=".docx") returned 5 [0067.034] lstrcmpiW (lpString1=".docx", lpString2="1.emf") returned -1 [0067.034] lstrlenW (lpString=".pdf") returned 4 [0067.034] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0067.034] lstrlenW (lpString=".xls") returned 4 [0067.034] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0067.034] lstrlenW (lpString=".xlsx") returned 5 [0067.034] lstrcmpiW (lpString1=".xlsx", lpString2="1.emf") returned -1 [0067.034] lstrlenW (lpString=".ppt") returned 4 [0067.034] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0067.034] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0067.034] lstrlenW (lpString=".zip") returned 4 [0067.034] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0067.034] lstrlenW (lpString=".rar") returned 4 [0067.034] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0067.034] lstrlenW (lpString=".bz2") returned 4 [0067.034] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0067.034] lstrlenW (lpString=".7z") returned 3 [0067.034] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0067.034] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0067.034] lstrlenW (lpString=".dbf") returned 4 [0067.034] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0067.035] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0067.035] lstrlenW (lpString=".1cd") returned 4 [0067.035] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0067.035] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0067.035] lstrlenW (lpString=".jpg") returned 4 [0067.035] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0067.035] lstrcmpiW (lpString1=".emf", lpString2=".bmd") returned 1 [0067.035] lstrlenW (lpString="Genko_2.emf") returned 11 [0067.035] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_2.emf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0067.036] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=10340) returned 1 [0067.036] CloseHandle (hObject=0x1f4) returned 1 [0067.036] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_2.emf")) returned 0x20 [0067.036] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_2.emf.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0067.036] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_2.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0067.036] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0067.036] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0067.036] lstrlenW (lpString=".doc") returned 4 [0067.036] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0067.036] lstrlenW (lpString=".docx") returned 5 [0067.036] lstrcmpiW (lpString1=".docx", lpString2="2.emf") returned -1 [0067.036] lstrlenW (lpString=".pdf") returned 4 [0067.036] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0067.036] lstrlenW (lpString=".xls") returned 4 [0067.036] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0067.036] lstrlenW (lpString=".xlsx") returned 5 [0067.036] lstrcmpiW (lpString1=".xlsx", lpString2="2.emf") returned -1 [0067.036] lstrlenW (lpString=".ppt") returned 4 [0067.037] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0067.037] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0067.037] lstrlenW (lpString=".zip") returned 4 [0067.037] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0067.037] lstrlenW (lpString=".rar") returned 4 [0067.037] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0067.037] lstrlenW (lpString=".bz2") returned 4 [0067.037] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0067.037] lstrlenW (lpString=".7z") returned 3 [0067.037] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0067.037] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0067.037] lstrlenW (lpString=".dbf") returned 4 [0067.037] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0067.037] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0067.037] lstrlenW (lpString=".1cd") returned 4 [0067.037] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0067.037] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0067.037] lstrlenW (lpString=".jpg") returned 4 [0067.037] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0067.037] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0067.037] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0067.037] lstrlenW (lpString=".doc") returned 4 [0067.037] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0067.037] lstrlenW (lpString=".docx") returned 5 [0067.038] lstrcmpiW (lpString1=".docx", lpString2="2.emf") returned -1 [0067.038] lstrlenW (lpString=".pdf") returned 4 [0067.038] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0067.038] lstrlenW (lpString=".xls") returned 4 [0067.038] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0067.038] lstrlenW (lpString=".xlsx") returned 5 [0067.038] lstrcmpiW (lpString1=".xlsx", lpString2="2.emf") returned -1 [0067.038] lstrlenW (lpString=".ppt") returned 4 [0067.038] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0067.038] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0067.038] lstrlenW (lpString=".zip") returned 4 [0067.038] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0067.038] lstrlenW (lpString=".rar") returned 4 [0067.038] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0067.038] lstrlenW (lpString=".bz2") returned 4 [0067.038] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0067.038] lstrlenW (lpString=".7z") returned 3 [0067.038] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0067.038] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0067.038] lstrlenW (lpString=".dbf") returned 4 [0067.038] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0067.038] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0067.038] lstrlenW (lpString=".1cd") returned 4 [0067.038] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0067.038] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0067.039] lstrlenW (lpString=".jpg") returned 4 [0067.039] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0067.039] lstrcmpiW (lpString1=".emf", lpString2=".bmd") returned 1 [0067.039] lstrlenW (lpString="Graph.emf") returned 9 [0067.039] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\graph.emf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0067.040] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=116724) returned 1 [0067.040] CloseHandle (hObject=0x218) returned 1 [0067.040] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\graph.emf")) returned 0x20 [0067.040] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\graph.emf.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0067.040] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\graph.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0067.040] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0067.040] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0067.041] lstrlenW (lpString=".doc") returned 4 [0067.041] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0067.041] lstrlenW (lpString=".docx") returned 5 [0067.041] lstrcmpiW (lpString1=".docx", lpString2="h.emf") returned -1 [0067.041] lstrlenW (lpString=".pdf") returned 4 [0067.041] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0067.041] lstrlenW (lpString=".xls") returned 4 [0067.041] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0067.041] lstrlenW (lpString=".xlsx") returned 5 [0067.041] lstrcmpiW (lpString1=".xlsx", lpString2="h.emf") returned -1 [0067.041] lstrlenW (lpString=".ppt") returned 4 [0067.041] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0067.041] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0067.041] lstrlenW (lpString=".zip") returned 4 [0067.041] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0067.041] lstrlenW (lpString=".rar") returned 4 [0067.041] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0067.041] lstrlenW (lpString=".bz2") returned 4 [0067.041] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0067.041] lstrlenW (lpString=".7z") returned 3 [0067.041] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0067.041] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0067.041] lstrlenW (lpString=".dbf") returned 4 [0067.041] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0069.512] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=34916) returned 1 [0069.512] CloseHandle (hObject=0x188) returned 1 [0069.512] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png")) returned 0x20 [0069.512] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0069.512] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0069.512] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0069.512] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0069.513] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0069.513] GetLastError () returned 0x0 [0069.513] ReadFile (in: hFile=0x188, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x8864, lpOverlapped=0x0) returned 1 [0070.394] WriteFile (in: hFile=0x1ac, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0x8870, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x8870, lpOverlapped=0x0) returned 1 [0070.398] ReadFile (in: hFile=0x188, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0070.398] WriteFile (in: hFile=0x1ac, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0070.398] SetEndOfFile (hFile=0x1ac) returned 1 [0070.398] CloseHandle (hObject=0x1ac) returned 1 [0070.399] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0070.399] SetEndOfFile (hFile=0x188) returned 1 [0070.400] CloseHandle (hObject=0x188) returned 1 [0070.400] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0070.400] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png")) returned 1 [0070.400] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0070.400] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0070.400] lstrlenW (lpString=".doc") returned 4 [0070.400] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0070.400] lstrlenW (lpString=".docx") returned 5 [0070.400] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0070.400] lstrlenW (lpString=".pdf") returned 4 [0070.400] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0070.400] lstrlenW (lpString=".xls") returned 4 [0070.400] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0070.400] lstrlenW (lpString=".xlsx") returned 5 [0070.401] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0070.401] lstrlenW (lpString=".ppt") returned 4 [0070.401] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0070.401] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0070.401] lstrlenW (lpString=".zip") returned 4 [0070.401] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0070.401] lstrlenW (lpString=".rar") returned 4 [0070.401] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0070.401] lstrlenW (lpString=".bz2") returned 4 [0070.401] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0070.401] lstrlenW (lpString=".7z") returned 3 [0070.401] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0070.401] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0070.401] lstrlenW (lpString=".dbf") returned 4 [0070.401] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0070.401] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0070.401] lstrlenW (lpString=".1cd") returned 4 [0070.401] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0070.401] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0070.401] lstrlenW (lpString=".jpg") returned 4 [0070.401] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0070.401] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0070.401] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0070.401] lstrlenW (lpString=".doc") returned 4 [0070.401] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0070.401] lstrlenW (lpString=".docx") returned 5 [0070.401] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0070.401] lstrlenW (lpString=".pdf") returned 4 [0070.401] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0070.401] lstrlenW (lpString=".xls") returned 4 [0070.401] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0070.401] lstrlenW (lpString=".xlsx") returned 5 [0070.401] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0070.401] lstrlenW (lpString=".ppt") returned 4 [0070.402] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0070.402] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0070.402] lstrlenW (lpString=".zip") returned 4 [0070.402] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0070.402] lstrlenW (lpString=".rar") returned 4 [0070.402] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0070.402] lstrlenW (lpString=".bz2") returned 4 [0070.402] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0070.402] lstrlenW (lpString=".7z") returned 3 [0070.402] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0070.402] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0070.402] lstrlenW (lpString=".dbf") returned 4 [0070.402] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0070.402] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0070.402] lstrlenW (lpString=".1cd") returned 4 [0070.402] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0070.402] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0070.402] lstrlenW (lpString=".jpg") returned 4 [0070.402] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0070.402] lstrcmpiW (lpString1=".PNG", lpString2=".bmd") returned 1 [0070.402] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0070.402] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0070.403] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=31837) returned 1 [0070.404] CloseHandle (hObject=0x188) returned 1 [0070.404] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png")) returned 0x20 [0070.404] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0070.404] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0070.404] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0070.404] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0070.404] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0070.404] GetLastError () returned 0x0 [0070.404] ReadFile (in: hFile=0x188, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x7c5d, lpOverlapped=0x0) returned 1 [0070.475] WriteFile (in: hFile=0x1ac, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0x7c60, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0x7c60, lpOverlapped=0x0) returned 1 [0070.478] ReadFile (in: hFile=0x188, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0070.478] WriteFile (in: hFile=0x1ac, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0070.478] SetEndOfFile (hFile=0x1ac) returned 1 [0070.478] CloseHandle (hObject=0x1ac) returned 1 [0070.479] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0070.479] SetEndOfFile (hFile=0x188) returned 1 [0070.480] CloseHandle (hObject=0x188) returned 1 [0070.480] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0070.481] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png")) returned 1 [0070.481] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0070.481] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0070.481] lstrlenW (lpString=".doc") returned 4 [0070.481] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0070.481] lstrlenW (lpString=".docx") returned 5 [0070.481] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0070.481] lstrlenW (lpString=".pdf") returned 4 [0070.481] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0070.481] lstrlenW (lpString=".xls") returned 4 [0070.482] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0070.482] lstrlenW (lpString=".xlsx") returned 5 [0070.482] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0070.482] lstrlenW (lpString=".ppt") returned 4 [0070.482] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0070.482] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0070.482] lstrlenW (lpString=".zip") returned 4 [0070.482] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0070.482] lstrlenW (lpString=".rar") returned 4 [0070.482] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0070.482] lstrlenW (lpString=".bz2") returned 4 [0070.482] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0070.482] lstrlenW (lpString=".7z") returned 3 [0070.482] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0070.482] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0070.482] lstrlenW (lpString=".dbf") returned 4 [0070.482] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0070.482] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0070.482] lstrlenW (lpString=".1cd") returned 4 [0070.482] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0070.482] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0070.482] lstrlenW (lpString=".jpg") returned 4 [0070.482] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0070.482] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0070.483] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0070.483] lstrlenW (lpString=".doc") returned 4 [0070.483] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0070.483] lstrlenW (lpString=".docx") returned 5 [0070.483] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0070.483] lstrlenW (lpString=".pdf") returned 4 [0070.483] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0070.483] lstrlenW (lpString=".xls") returned 4 [0070.483] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0070.483] lstrlenW (lpString=".xlsx") returned 5 [0070.483] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0070.483] lstrlenW (lpString=".ppt") returned 4 [0070.483] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0070.483] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0070.483] lstrlenW (lpString=".zip") returned 4 [0070.483] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0070.483] lstrlenW (lpString=".rar") returned 4 [0070.483] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0070.483] lstrlenW (lpString=".bz2") returned 4 [0070.483] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0070.483] lstrlenW (lpString=".7z") returned 3 [0070.483] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0070.483] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0070.483] lstrlenW (lpString=".dbf") returned 4 [0070.483] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0070.483] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0070.483] lstrlenW (lpString=".1cd") returned 4 [0070.484] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0070.484] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0070.484] lstrlenW (lpString=".jpg") returned 4 [0070.484] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0070.484] lstrcmpiW (lpString1=".GIF", lpString2=".bmd") returned 1 [0070.484] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0070.484] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0070.485] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=2722) returned 1 [0070.485] CloseHandle (hObject=0x188) returned 1 [0070.485] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif")) returned 0x20 [0070.485] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0070.485] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0070.485] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0070.485] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0070.485] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0070.488] GetLastError () returned 0x0 [0070.488] ReadFile (in: hFile=0x188, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0xaa2, lpOverlapped=0x0) returned 1 [0070.490] WriteFile (in: hFile=0x1ac, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0xab0, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xab0, lpOverlapped=0x0) returned 1 [0070.491] ReadFile (in: hFile=0x188, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0070.491] WriteFile (in: hFile=0x1ac, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xea, lpOverlapped=0x0) returned 1 [0070.491] SetEndOfFile (hFile=0x1ac) returned 1 [0070.492] CloseHandle (hObject=0x1ac) returned 1 [0070.492] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0070.492] SetEndOfFile (hFile=0x188) returned 1 [0070.493] CloseHandle (hObject=0x188) returned 1 [0070.493] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0070.493] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif")) returned 1 [0070.494] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0070.494] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0070.494] lstrlenW (lpString=".doc") returned 4 [0070.494] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0070.494] lstrlenW (lpString=".docx") returned 5 [0070.494] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0070.494] lstrlenW (lpString=".pdf") returned 4 [0070.494] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0070.494] lstrlenW (lpString=".xls") returned 4 [0070.494] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0070.494] lstrlenW (lpString=".xlsx") returned 5 [0070.494] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0070.494] lstrlenW (lpString=".ppt") returned 4 [0070.494] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0070.494] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0070.494] lstrlenW (lpString=".zip") returned 4 [0070.494] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0070.494] lstrlenW (lpString=".rar") returned 4 [0070.494] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0070.494] lstrlenW (lpString=".bz2") returned 4 [0070.495] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0070.495] lstrlenW (lpString=".7z") returned 3 [0070.495] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0070.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0070.495] lstrlenW (lpString=".dbf") returned 4 [0070.495] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0070.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0070.495] lstrlenW (lpString=".1cd") returned 4 [0070.495] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0070.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0070.495] lstrlenW (lpString=".jpg") returned 4 [0070.495] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0070.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0070.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0070.495] lstrlenW (lpString=".doc") returned 4 [0070.495] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0070.495] lstrlenW (lpString=".docx") returned 5 [0070.495] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0070.495] lstrlenW (lpString=".pdf") returned 4 [0070.495] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0070.495] lstrlenW (lpString=".xls") returned 4 [0070.495] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0070.495] lstrlenW (lpString=".xlsx") returned 5 [0070.496] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0070.496] lstrlenW (lpString=".ppt") returned 4 [0070.496] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0070.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0070.496] lstrlenW (lpString=".zip") returned 4 [0070.496] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0070.496] lstrlenW (lpString=".rar") returned 4 [0070.496] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0070.496] lstrlenW (lpString=".bz2") returned 4 [0070.496] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0070.496] lstrlenW (lpString=".7z") returned 3 [0070.496] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0070.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0070.496] lstrlenW (lpString=".dbf") returned 4 [0070.496] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0070.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0070.496] lstrlenW (lpString=".1cd") returned 4 [0070.496] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0070.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0070.496] lstrlenW (lpString=".jpg") returned 4 [0070.497] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0070.497] lstrcmpiW (lpString1=".PNG", lpString2=".bmd") returned 1 [0070.497] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0070.497] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0070.498] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=43276) returned 1 [0070.498] CloseHandle (hObject=0x188) returned 1 [0070.499] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png")) returned 0x20 [0070.499] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0070.499] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0070.499] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0070.499] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0070.499] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0070.500] GetLastError () returned 0x0 [0070.500] ReadFile (in: hFile=0x188, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0xa90c, lpOverlapped=0x0) returned 1 [0070.903] WriteFile (in: hFile=0x1ac, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0xa910, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xa910, lpOverlapped=0x0) returned 1 [0070.905] ReadFile (in: hFile=0x188, lpBuffer=0x33c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c6fed4, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesRead=0x2c6fed4*=0x0, lpOverlapped=0x0) returned 1 [0070.905] WriteFile (in: hFile=0x1ac, lpBuffer=0x33c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x33c0020*, lpNumberOfBytesWritten=0x2c6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0070.906] SetEndOfFile (hFile=0x1ac) returned 1 [0070.906] CloseHandle (hObject=0x1ac) returned 1 [0070.906] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0070.906] SetEndOfFile (hFile=0x188) returned 1 [0070.908] CloseHandle (hObject=0x188) returned 1 [0070.908] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0070.908] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png")) returned 1 [0070.908] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0070.908] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0070.908] lstrlenW (lpString=".doc") returned 4 [0070.909] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0070.909] lstrlenW (lpString=".docx") returned 5 [0070.909] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0070.909] lstrlenW (lpString=".pdf") returned 4 [0070.909] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0070.909] lstrlenW (lpString=".xls") returned 4 [0070.909] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0070.909] lstrlenW (lpString=".xlsx") returned 5 [0070.909] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0070.909] lstrlenW (lpString=".ppt") returned 4 [0070.909] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0070.909] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0070.909] lstrlenW (lpString=".zip") returned 4 [0070.909] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0070.909] lstrlenW (lpString=".rar") returned 4 [0070.909] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0070.909] lstrlenW (lpString=".bz2") returned 4 [0070.909] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0070.909] lstrlenW (lpString=".7z") returned 3 [0070.909] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0070.909] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0070.909] lstrlenW (lpString=".dbf") returned 4 [0070.909] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0070.909] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0070.909] lstrlenW (lpString=".1cd") returned 4 [0070.909] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0070.910] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0070.910] lstrlenW (lpString=".jpg") returned 4 [0070.910] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0070.910] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0070.910] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0070.910] lstrlenW (lpString=".doc") returned 4 [0070.910] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0070.910] lstrlenW (lpString=".docx") returned 5 [0070.910] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0070.910] lstrlenW (lpString=".pdf") returned 4 [0070.910] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0070.910] lstrlenW (lpString=".xls") returned 4 [0070.910] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0070.910] lstrlenW (lpString=".xlsx") returned 5 [0070.910] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0070.910] lstrlenW (lpString=".ppt") returned 4 [0070.910] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0070.910] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0070.910] lstrlenW (lpString=".zip") returned 4 [0070.910] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0070.910] lstrlenW (lpString=".rar") returned 4 [0070.910] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0070.910] lstrlenW (lpString=".bz2") returned 4 [0070.910] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0070.911] lstrlenW (lpString=".7z") returned 3 [0070.911] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0070.911] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0070.911] lstrlenW (lpString=".dbf") returned 4 [0070.911] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0070.911] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0070.911] lstrlenW (lpString=".1cd") returned 4 [0070.911] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0070.911] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0070.911] lstrlenW (lpString=".jpg") returned 4 [0070.911] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0070.911] lstrcmpiW (lpString1=".GIF", lpString2=".bmd") returned 1 [0070.911] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0070.911] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0070.912] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x2c6ff1c | out: lpFileSize=0x2c6ff1c*=1363) returned 1 [0070.912] CloseHandle (hObject=0x188) returned 1 [0070.912] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif")) returned 0x20 [0070.912] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0070.913] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0070.913] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0070.913] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c6fec8 | out: lpNewFilePointer=0x0) returned 1 [0070.913] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 13 os_tid = 0x5d4 [0047.354] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10000) returned 0x6c0cd8 [0047.355] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10000) returned 0x6d0ce0 [0047.355] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x646970 [0047.355] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x6) returned 0x63ce48 [0047.355] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x6469b8 [0047.355] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x100000) returned 0x3610020 [0047.355] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x6469d0 [0047.355] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6469d0, Size=0x20) returned 0x63c690 [0047.355] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x6469d0 [0047.355] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6469d0, Size=0x20) returned 0x63c708 [0047.355] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0047.356] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0047.356] Wow64DisableWow64FsRedirection (in: OldValue=0x2daff58 | out: OldValue=0x2daff58*=0x0) returned 1 [0047.356] lstrlenW (lpString="kernel32.dll") returned 12 [0047.356] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63c690 | out: hHeap=0x5f0000) returned 1 [0047.356] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0047.356] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63c708 | out: hHeap=0x5f0000) returned 1 [0047.356] Sleep (dwMilliseconds=0x64) [0047.495] Sleep (dwMilliseconds=0x64) [0047.734] Sleep (dwMilliseconds=0x64) [0047.847] Sleep (dwMilliseconds=0x64) [0047.949] lstrcmpiW (lpString1=".BAK", lpString2=".bmd") returned -1 [0047.949] lstrlenW (lpString="BOOTSECT.BAK") returned 12 [0047.949] CreateFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0047.950] GetFileSizeEx (in: hFile=0x168, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=8192) returned 1 [0047.950] CloseHandle (hObject=0x168) returned 1 [0047.951] GetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak")) returned 0x27 [0047.951] GetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\bootsect.bak.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0047.951] SetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK", dwFileAttributes=0x26) returned 1 [0047.951] CreateFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0047.951] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.951] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.951] CreateFileW (lpFileName="C:\\BOOTSECT.BAK.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\bootsect.bak.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0048.057] GetLastError () returned 0x0 [0048.058] ReadFile (in: hFile=0x168, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x2000, lpOverlapped=0x0) returned 1 [0048.330] WriteFile (in: hFile=0x16c, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0x2010, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0x2010, lpOverlapped=0x0) returned 1 [0048.332] ReadFile (in: hFile=0x168, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0048.332] WriteFile (in: hFile=0x16c, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0xec, lpOverlapped=0x0) returned 1 [0048.332] SetEndOfFile (hFile=0x16c) returned 1 [0048.332] CloseHandle (hObject=0x16c) returned 1 [0048.333] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.333] SetEndOfFile (hFile=0x168) returned 1 [0048.334] CloseHandle (hObject=0x168) returned 1 [0048.334] SetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x27) returned 1 [0048.355] DeleteFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak")) returned 1 [0048.355] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0048.355] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0048.355] lstrlenW (lpString=".doc") returned 4 [0048.355] lstrcmpiW (lpString1=".doc", lpString2=".BAK") returned 1 [0048.355] lstrlenW (lpString=".docx") returned 5 [0048.355] lstrcmpiW (lpString1=".docx", lpString2="T.BAK") returned -1 [0048.355] lstrlenW (lpString=".pdf") returned 4 [0048.356] lstrcmpiW (lpString1=".pdf", lpString2=".BAK") returned 1 [0048.356] lstrlenW (lpString=".xls") returned 4 [0048.356] lstrcmpiW (lpString1=".xls", lpString2=".BAK") returned 1 [0048.356] lstrlenW (lpString=".xlsx") returned 5 [0048.356] lstrcmpiW (lpString1=".xlsx", lpString2="T.BAK") returned -1 [0048.356] lstrlenW (lpString=".ppt") returned 4 [0048.356] lstrcmpiW (lpString1=".ppt", lpString2=".BAK") returned 1 [0048.356] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0048.356] lstrlenW (lpString=".zip") returned 4 [0048.356] lstrcmpiW (lpString1=".zip", lpString2=".BAK") returned 1 [0048.356] lstrlenW (lpString=".rar") returned 4 [0048.356] lstrcmpiW (lpString1=".rar", lpString2=".BAK") returned 1 [0048.357] lstrlenW (lpString=".bz2") returned 4 [0048.357] lstrcmpiW (lpString1=".bz2", lpString2=".BAK") returned 1 [0048.357] lstrlenW (lpString=".7z") returned 3 [0048.357] lstrcmpiW (lpString1=".7z", lpString2="BAK") returned -1 [0048.357] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0048.357] lstrlenW (lpString=".dbf") returned 4 [0048.357] lstrcmpiW (lpString1=".dbf", lpString2=".BAK") returned 1 [0048.357] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0048.357] lstrlenW (lpString=".1cd") returned 4 [0048.357] lstrcmpiW (lpString1=".1cd", lpString2=".BAK") returned -1 [0048.357] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0048.357] lstrlenW (lpString=".jpg") returned 4 [0048.357] lstrcmpiW (lpString1=".jpg", lpString2=".BAK") returned 1 [0048.357] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0048.357] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0048.357] lstrlenW (lpString=".doc") returned 4 [0048.357] lstrcmpiW (lpString1=".doc", lpString2=".BAK") returned 1 [0048.357] lstrlenW (lpString=".docx") returned 5 [0048.357] lstrcmpiW (lpString1=".docx", lpString2="T.BAK") returned -1 [0048.357] lstrlenW (lpString=".pdf") returned 4 [0048.357] lstrcmpiW (lpString1=".pdf", lpString2=".BAK") returned 1 [0048.357] lstrlenW (lpString=".xls") returned 4 [0048.357] lstrcmpiW (lpString1=".xls", lpString2=".BAK") returned 1 [0048.357] lstrlenW (lpString=".xlsx") returned 5 [0048.357] lstrcmpiW (lpString1=".xlsx", lpString2="T.BAK") returned -1 [0048.358] lstrlenW (lpString=".ppt") returned 4 [0048.358] lstrcmpiW (lpString1=".ppt", lpString2=".BAK") returned 1 [0048.358] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0048.358] lstrlenW (lpString=".zip") returned 4 [0048.358] lstrcmpiW (lpString1=".zip", lpString2=".BAK") returned 1 [0048.358] lstrlenW (lpString=".rar") returned 4 [0048.358] lstrcmpiW (lpString1=".rar", lpString2=".BAK") returned 1 [0048.358] lstrlenW (lpString=".bz2") returned 4 [0048.358] lstrcmpiW (lpString1=".bz2", lpString2=".BAK") returned 1 [0048.358] lstrlenW (lpString=".7z") returned 3 [0048.358] lstrcmpiW (lpString1=".7z", lpString2="BAK") returned -1 [0048.358] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0048.358] lstrlenW (lpString=".dbf") returned 4 [0048.358] lstrcmpiW (lpString1=".dbf", lpString2=".BAK") returned 1 [0048.358] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0048.358] lstrlenW (lpString=".1cd") returned 4 [0048.358] lstrcmpiW (lpString1=".1cd", lpString2=".BAK") returned -1 [0048.358] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0048.358] lstrlenW (lpString=".jpg") returned 4 [0048.358] lstrcmpiW (lpString1=".jpg", lpString2=".BAK") returned 1 [0048.358] Sleep (dwMilliseconds=0x64) [0048.507] Sleep (dwMilliseconds=0x64) [0048.890] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0048.890] lstrlenW (lpString="PublisherMUI.xml") returned 16 [0048.890] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0048.965] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=1450) returned 1 [0048.965] CloseHandle (hObject=0x188) returned 1 [0048.965] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml")) returned 0x2020 [0048.965] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0048.965] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0048.965] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.965] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.965] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0048.965] GetLastError () returned 0x0 [0048.966] ReadFile (in: hFile=0x188, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x5aa, lpOverlapped=0x0) returned 1 [0048.967] WriteFile (in: hFile=0x1a8, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0048.968] ReadFile (in: hFile=0x188, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0048.968] WriteFile (in: hFile=0x1a8, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0xf4, lpOverlapped=0x0) returned 1 [0048.968] SetEndOfFile (hFile=0x1a8) returned 1 [0048.968] CloseHandle (hObject=0x1a8) returned 1 [0048.969] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.969] SetEndOfFile (hFile=0x188) returned 1 [0048.970] CloseHandle (hObject=0x188) returned 1 [0048.970] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0048.971] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml")) returned 1 [0048.971] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0048.971] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0048.971] lstrlenW (lpString=".doc") returned 4 [0048.971] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0048.971] lstrlenW (lpString=".docx") returned 5 [0048.971] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0048.971] lstrlenW (lpString=".pdf") returned 4 [0048.971] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0048.971] lstrlenW (lpString=".xls") returned 4 [0048.971] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0048.971] lstrlenW (lpString=".xlsx") returned 5 [0048.971] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0048.971] lstrlenW (lpString=".ppt") returned 4 [0048.971] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0048.971] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0048.971] lstrlenW (lpString=".zip") returned 4 [0048.971] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0048.971] lstrlenW (lpString=".rar") returned 4 [0048.971] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0048.971] lstrlenW (lpString=".bz2") returned 4 [0048.971] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0048.971] lstrlenW (lpString=".7z") returned 3 [0048.971] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0048.971] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0048.971] lstrlenW (lpString=".dbf") returned 4 [0048.971] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0048.971] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0048.972] lstrlenW (lpString=".1cd") returned 4 [0048.972] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0048.972] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0048.972] lstrlenW (lpString=".jpg") returned 4 [0048.972] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0048.972] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0048.972] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0048.972] lstrlenW (lpString=".doc") returned 4 [0048.972] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0048.972] lstrlenW (lpString=".docx") returned 5 [0048.972] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0048.972] lstrlenW (lpString=".pdf") returned 4 [0048.972] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0048.972] lstrlenW (lpString=".xls") returned 4 [0048.972] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0048.972] lstrlenW (lpString=".xlsx") returned 5 [0048.972] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0048.972] lstrlenW (lpString=".ppt") returned 4 [0048.972] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0048.972] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0048.972] lstrlenW (lpString=".zip") returned 4 [0048.972] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0048.972] lstrlenW (lpString=".rar") returned 4 [0048.972] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0048.972] lstrlenW (lpString=".bz2") returned 4 [0048.972] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0048.972] lstrlenW (lpString=".7z") returned 3 [0048.972] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0048.972] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0048.972] lstrlenW (lpString=".dbf") returned 4 [0048.972] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0048.972] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0048.972] lstrlenW (lpString=".1cd") returned 4 [0048.972] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0048.972] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0048.972] lstrlenW (lpString=".jpg") returned 4 [0048.972] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0048.973] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0048.973] lstrlenW (lpString="OutlookMUI.xml") returned 14 [0048.973] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0048.974] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=3186) returned 1 [0048.974] CloseHandle (hObject=0x188) returned 1 [0048.974] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml")) returned 0x2020 [0048.974] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0048.974] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0048.974] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.974] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.974] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0048.974] GetLastError () returned 0x0 [0048.974] ReadFile (in: hFile=0x188, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0xc72, lpOverlapped=0x0) returned 1 [0048.977] WriteFile (in: hFile=0x1a8, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0xc80, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0xc80, lpOverlapped=0x0) returned 1 [0048.978] ReadFile (in: hFile=0x188, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0048.978] WriteFile (in: hFile=0x1a8, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0xf0, lpOverlapped=0x0) returned 1 [0048.978] SetEndOfFile (hFile=0x1a8) returned 1 [0048.978] CloseHandle (hObject=0x1a8) returned 1 [0048.979] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.979] SetEndOfFile (hFile=0x188) returned 1 [0048.980] CloseHandle (hObject=0x188) returned 1 [0048.980] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0048.980] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml")) returned 1 [0048.981] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0048.981] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0048.981] lstrlenW (lpString=".doc") returned 4 [0048.981] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0048.981] lstrlenW (lpString=".docx") returned 5 [0048.981] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0048.981] lstrlenW (lpString=".pdf") returned 4 [0048.981] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0048.981] lstrlenW (lpString=".xls") returned 4 [0048.981] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0048.981] lstrlenW (lpString=".xlsx") returned 5 [0048.981] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0048.981] lstrlenW (lpString=".ppt") returned 4 [0048.981] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0048.981] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0048.981] lstrlenW (lpString=".zip") returned 4 [0048.981] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0048.981] lstrlenW (lpString=".rar") returned 4 [0048.981] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0048.981] lstrlenW (lpString=".bz2") returned 4 [0048.981] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0048.981] lstrlenW (lpString=".7z") returned 3 [0048.981] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0048.981] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0048.981] lstrlenW (lpString=".dbf") returned 4 [0048.981] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0048.981] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0048.981] lstrlenW (lpString=".1cd") returned 4 [0048.981] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0048.981] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0048.981] lstrlenW (lpString=".jpg") returned 4 [0048.981] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0048.981] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0048.982] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0048.982] lstrlenW (lpString=".doc") returned 4 [0048.982] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0048.982] lstrlenW (lpString=".docx") returned 5 [0048.982] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0048.982] lstrlenW (lpString=".pdf") returned 4 [0048.982] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0048.982] lstrlenW (lpString=".xls") returned 4 [0048.982] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0048.982] lstrlenW (lpString=".xlsx") returned 5 [0048.982] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0048.982] lstrlenW (lpString=".ppt") returned 4 [0048.982] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0048.982] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0048.982] lstrlenW (lpString=".zip") returned 4 [0048.982] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0048.982] lstrlenW (lpString=".rar") returned 4 [0048.982] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0048.982] lstrlenW (lpString=".bz2") returned 4 [0048.982] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0048.982] lstrlenW (lpString=".7z") returned 3 [0048.982] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0048.982] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0048.982] lstrlenW (lpString=".dbf") returned 4 [0048.982] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0048.982] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0048.982] lstrlenW (lpString=".1cd") returned 4 [0048.982] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0048.982] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0048.982] lstrlenW (lpString=".jpg") returned 4 [0048.982] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0048.982] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0048.983] lstrlenW (lpString="Setup.xml") returned 9 [0048.983] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0048.983] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=4207) returned 1 [0048.983] CloseHandle (hObject=0x188) returned 1 [0048.983] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0048.983] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0048.983] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0048.983] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.983] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.983] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0048.983] GetLastError () returned 0x0 [0048.984] ReadFile (in: hFile=0x188, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x106f, lpOverlapped=0x0) returned 1 [0049.623] WriteFile (in: hFile=0x1a8, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0x1070, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0x1070, lpOverlapped=0x0) returned 1 [0049.624] ReadFile (in: hFile=0x188, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0049.624] WriteFile (in: hFile=0x1a8, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0049.624] SetEndOfFile (hFile=0x1a8) returned 1 [0049.624] CloseHandle (hObject=0x1a8) returned 1 [0049.628] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0049.628] SetEndOfFile (hFile=0x188) returned 1 [0049.629] CloseHandle (hObject=0x188) returned 1 [0049.629] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0049.630] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0049.630] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0049.630] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0049.630] lstrlenW (lpString=".doc") returned 4 [0049.630] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0049.630] lstrlenW (lpString=".docx") returned 5 [0049.630] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0049.630] lstrlenW (lpString=".pdf") returned 4 [0049.630] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0049.630] lstrlenW (lpString=".xls") returned 4 [0049.630] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0049.630] lstrlenW (lpString=".xlsx") returned 5 [0049.630] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0049.630] lstrlenW (lpString=".ppt") returned 4 [0049.630] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0049.630] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0049.630] lstrlenW (lpString=".zip") returned 4 [0049.630] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0049.630] lstrlenW (lpString=".rar") returned 4 [0049.630] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0049.631] lstrlenW (lpString=".bz2") returned 4 [0049.631] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0049.631] lstrlenW (lpString=".7z") returned 3 [0049.631] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0049.631] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0049.631] lstrlenW (lpString=".dbf") returned 4 [0049.631] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0049.631] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0049.631] lstrlenW (lpString=".1cd") returned 4 [0049.631] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0049.631] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0049.631] lstrlenW (lpString=".jpg") returned 4 [0049.631] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0049.631] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0049.631] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0049.631] lstrlenW (lpString=".doc") returned 4 [0049.631] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0049.631] lstrlenW (lpString=".docx") returned 5 [0049.631] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0049.631] lstrlenW (lpString=".pdf") returned 4 [0049.631] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0049.631] lstrlenW (lpString=".xls") returned 4 [0049.631] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0049.631] lstrlenW (lpString=".xlsx") returned 5 [0049.631] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0049.631] lstrlenW (lpString=".ppt") returned 4 [0049.631] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0049.631] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0049.631] lstrlenW (lpString=".zip") returned 4 [0049.631] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0049.631] lstrlenW (lpString=".rar") returned 4 [0049.631] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0049.631] lstrlenW (lpString=".bz2") returned 4 [0049.631] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0049.631] lstrlenW (lpString=".7z") returned 3 [0049.632] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0049.632] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0049.632] lstrlenW (lpString=".dbf") returned 4 [0049.632] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0049.632] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0049.632] lstrlenW (lpString=".1cd") returned 4 [0049.632] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0049.632] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0049.632] lstrlenW (lpString=".jpg") returned 4 [0049.632] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0049.632] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0049.632] lstrlenW (lpString="Setup.xml") returned 9 [0049.632] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0049.632] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=2424) returned 1 [0049.632] CloseHandle (hObject=0x188) returned 1 [0049.632] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0049.632] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0049.633] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0049.633] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0049.633] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0049.633] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0049.635] GetLastError () returned 0x0 [0049.635] ReadFile (in: hFile=0x188, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x978, lpOverlapped=0x0) returned 1 [0050.899] WriteFile (in: hFile=0x1a8, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0x980, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0x980, lpOverlapped=0x0) returned 1 [0050.901] ReadFile (in: hFile=0x188, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0050.901] WriteFile (in: hFile=0x1a8, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0050.901] SetEndOfFile (hFile=0x1a8) returned 1 [0050.901] CloseHandle (hObject=0x1a8) returned 1 [0050.902] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0050.902] SetEndOfFile (hFile=0x188) returned 1 [0050.903] CloseHandle (hObject=0x188) returned 1 [0050.903] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0050.904] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0050.905] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0050.905] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0050.905] lstrlenW (lpString=".doc") returned 4 [0050.905] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0050.905] lstrlenW (lpString=".docx") returned 5 [0050.905] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0050.905] lstrlenW (lpString=".pdf") returned 4 [0050.905] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0050.905] lstrlenW (lpString=".xls") returned 4 [0050.905] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0050.905] lstrlenW (lpString=".xlsx") returned 5 [0050.905] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0050.905] lstrlenW (lpString=".ppt") returned 4 [0050.905] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0050.905] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0050.905] lstrlenW (lpString=".zip") returned 4 [0050.905] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0050.905] lstrlenW (lpString=".rar") returned 4 [0050.905] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0050.905] lstrlenW (lpString=".bz2") returned 4 [0050.905] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0050.905] lstrlenW (lpString=".7z") returned 3 [0050.905] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0050.906] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0050.906] lstrlenW (lpString=".dbf") returned 4 [0050.906] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0050.906] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0050.933] lstrlenW (lpString=".1cd") returned 4 [0050.933] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0050.933] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0050.934] lstrlenW (lpString=".jpg") returned 4 [0050.934] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0050.934] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0050.934] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0050.934] lstrlenW (lpString=".doc") returned 4 [0050.934] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0050.934] lstrlenW (lpString=".docx") returned 5 [0050.934] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0050.934] lstrlenW (lpString=".pdf") returned 4 [0050.934] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0050.934] lstrlenW (lpString=".xls") returned 4 [0050.934] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0050.934] lstrlenW (lpString=".xlsx") returned 5 [0050.934] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0050.934] lstrlenW (lpString=".ppt") returned 4 [0050.934] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0050.934] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0050.934] lstrlenW (lpString=".zip") returned 4 [0050.934] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0050.934] lstrlenW (lpString=".rar") returned 4 [0050.934] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0050.934] lstrlenW (lpString=".bz2") returned 4 [0050.934] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0050.934] lstrlenW (lpString=".7z") returned 3 [0050.934] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0050.934] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0050.935] lstrlenW (lpString=".dbf") returned 4 [0050.935] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0050.935] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0050.935] lstrlenW (lpString=".1cd") returned 4 [0050.935] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0050.935] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0050.935] lstrlenW (lpString=".jpg") returned 4 [0050.935] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0050.935] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0050.935] lstrlenW (lpString="Proof.xml") returned 9 [0050.935] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0050.936] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=1458) returned 1 [0050.936] CloseHandle (hObject=0x188) returned 1 [0050.936] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml")) returned 0x2020 [0050.936] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0050.936] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0050.936] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0050.936] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0050.936] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0050.937] GetLastError () returned 0x0 [0050.937] ReadFile (in: hFile=0x188, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x5b2, lpOverlapped=0x0) returned 1 [0051.150] WriteFile (in: hFile=0x1a8, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0x5c0, lpOverlapped=0x0) returned 1 [0051.151] ReadFile (in: hFile=0x188, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0051.152] WriteFile (in: hFile=0x1a8, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0051.152] SetEndOfFile (hFile=0x1a8) returned 1 [0051.152] CloseHandle (hObject=0x1a8) returned 1 [0051.153] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0051.153] SetEndOfFile (hFile=0x188) returned 1 [0051.154] CloseHandle (hObject=0x188) returned 1 [0051.154] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0051.155] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml")) returned 1 [0051.155] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0051.155] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0051.155] lstrlenW (lpString=".doc") returned 4 [0051.155] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0051.155] lstrlenW (lpString=".docx") returned 5 [0051.155] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0051.155] lstrlenW (lpString=".pdf") returned 4 [0051.155] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0051.155] lstrlenW (lpString=".xls") returned 4 [0051.155] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0051.155] lstrlenW (lpString=".xlsx") returned 5 [0051.155] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0051.155] lstrlenW (lpString=".ppt") returned 4 [0051.155] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0051.156] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0051.156] lstrlenW (lpString=".zip") returned 4 [0051.156] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0051.156] lstrlenW (lpString=".rar") returned 4 [0051.156] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0051.156] lstrlenW (lpString=".bz2") returned 4 [0051.156] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0051.156] lstrlenW (lpString=".7z") returned 3 [0051.156] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0051.156] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0051.156] lstrlenW (lpString=".dbf") returned 4 [0051.156] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0051.156] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0051.156] lstrlenW (lpString=".1cd") returned 4 [0051.156] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0051.156] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0051.156] lstrlenW (lpString=".jpg") returned 4 [0051.156] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0051.156] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0051.156] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0051.156] lstrlenW (lpString=".doc") returned 4 [0051.156] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0051.156] lstrlenW (lpString=".docx") returned 5 [0051.156] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0051.156] lstrlenW (lpString=".pdf") returned 4 [0051.157] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0051.157] lstrlenW (lpString=".xls") returned 4 [0051.157] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0051.157] lstrlenW (lpString=".xlsx") returned 5 [0051.157] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0051.157] lstrlenW (lpString=".ppt") returned 4 [0051.157] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0051.157] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0051.157] lstrlenW (lpString=".zip") returned 4 [0051.157] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0051.157] lstrlenW (lpString=".rar") returned 4 [0051.157] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0051.157] lstrlenW (lpString=".bz2") returned 4 [0051.157] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0051.157] lstrlenW (lpString=".7z") returned 3 [0051.157] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0051.157] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0051.157] lstrlenW (lpString=".dbf") returned 4 [0051.157] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0051.157] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0051.157] lstrlenW (lpString=".1cd") returned 4 [0051.157] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0051.157] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0051.157] lstrlenW (lpString=".jpg") returned 4 [0051.157] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0051.158] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0051.158] lstrlenW (lpString="Setup.xml") returned 9 [0051.158] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0051.158] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=2362) returned 1 [0051.158] CloseHandle (hObject=0x188) returned 1 [0051.158] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0051.158] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0051.159] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0051.159] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0051.159] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0051.159] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0051.173] GetLastError () returned 0x0 [0051.173] ReadFile (in: hFile=0x188, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x93a, lpOverlapped=0x0) returned 1 [0051.262] WriteFile (in: hFile=0x1a8, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0x940, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0x940, lpOverlapped=0x0) returned 1 [0051.263] ReadFile (in: hFile=0x188, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0051.263] WriteFile (in: hFile=0x1a8, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0051.263] SetEndOfFile (hFile=0x1a8) returned 1 [0051.263] CloseHandle (hObject=0x1a8) returned 1 [0051.264] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0051.264] SetEndOfFile (hFile=0x188) returned 1 [0051.265] CloseHandle (hObject=0x188) returned 1 [0051.265] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0051.265] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0051.265] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.265] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.265] lstrlenW (lpString=".doc") returned 4 [0051.265] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0051.265] lstrlenW (lpString=".docx") returned 5 [0051.265] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0051.266] lstrlenW (lpString=".pdf") returned 4 [0051.266] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0051.266] lstrlenW (lpString=".xls") returned 4 [0051.266] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0051.266] lstrlenW (lpString=".xlsx") returned 5 [0051.266] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0051.266] lstrlenW (lpString=".ppt") returned 4 [0051.266] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0051.266] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.266] lstrlenW (lpString=".zip") returned 4 [0051.266] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0051.266] lstrlenW (lpString=".rar") returned 4 [0051.266] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0051.266] lstrlenW (lpString=".bz2") returned 4 [0051.266] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0051.266] lstrlenW (lpString=".7z") returned 3 [0051.266] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0051.266] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.266] lstrlenW (lpString=".dbf") returned 4 [0051.266] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0051.266] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.266] lstrlenW (lpString=".1cd") returned 4 [0051.266] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0051.266] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.266] lstrlenW (lpString=".jpg") returned 4 [0051.266] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0051.266] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.266] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.266] lstrlenW (lpString=".doc") returned 4 [0051.266] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0051.266] lstrlenW (lpString=".docx") returned 5 [0051.266] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0051.266] lstrlenW (lpString=".pdf") returned 4 [0051.266] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0051.266] lstrlenW (lpString=".xls") returned 4 [0051.267] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0051.267] lstrlenW (lpString=".xlsx") returned 5 [0051.267] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0051.267] lstrlenW (lpString=".ppt") returned 4 [0051.267] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0051.267] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.267] lstrlenW (lpString=".zip") returned 4 [0051.267] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0051.267] lstrlenW (lpString=".rar") returned 4 [0051.267] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0051.267] lstrlenW (lpString=".bz2") returned 4 [0051.267] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0051.267] lstrlenW (lpString=".7z") returned 3 [0051.267] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0051.267] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.267] lstrlenW (lpString=".dbf") returned 4 [0051.267] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0051.267] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.267] lstrlenW (lpString=".1cd") returned 4 [0051.267] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0051.267] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.267] lstrlenW (lpString=".jpg") returned 4 [0051.267] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0051.267] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0051.267] lstrlenW (lpString="VisioMUI.xml") returned 12 [0051.267] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0051.293] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=9503) returned 1 [0051.294] CloseHandle (hObject=0x1a8) returned 1 [0051.294] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml")) returned 0x2020 [0051.294] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0051.294] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0051.294] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0051.294] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0051.294] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0051.294] GetLastError () returned 0x0 [0051.295] ReadFile (in: hFile=0x1a8, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x251f, lpOverlapped=0x0) returned 1 [0051.297] WriteFile (in: hFile=0x194, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0x2520, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0x2520, lpOverlapped=0x0) returned 1 [0051.298] ReadFile (in: hFile=0x1a8, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0051.298] WriteFile (in: hFile=0x194, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.299] SetEndOfFile (hFile=0x194) returned 1 [0051.299] CloseHandle (hObject=0x194) returned 1 [0051.300] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0051.300] SetEndOfFile (hFile=0x1a8) returned 1 [0051.301] CloseHandle (hObject=0x1a8) returned 1 [0051.301] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0051.302] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml")) returned 1 [0051.302] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0051.302] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0051.302] lstrlenW (lpString=".doc") returned 4 [0051.302] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0051.302] lstrlenW (lpString=".docx") returned 5 [0051.302] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0051.302] lstrlenW (lpString=".pdf") returned 4 [0051.302] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0051.302] lstrlenW (lpString=".xls") returned 4 [0051.302] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0051.302] lstrlenW (lpString=".xlsx") returned 5 [0051.302] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0051.302] lstrlenW (lpString=".ppt") returned 4 [0051.303] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0051.303] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0051.303] lstrlenW (lpString=".zip") returned 4 [0051.303] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0051.303] lstrlenW (lpString=".rar") returned 4 [0051.303] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0051.303] lstrlenW (lpString=".bz2") returned 4 [0051.303] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0051.303] lstrlenW (lpString=".7z") returned 3 [0051.303] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0051.303] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0051.303] lstrlenW (lpString=".dbf") returned 4 [0051.303] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0051.303] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0051.303] lstrlenW (lpString=".1cd") returned 4 [0051.303] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0051.303] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0051.303] lstrlenW (lpString=".jpg") returned 4 [0051.303] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0051.303] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0051.303] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0051.303] lstrlenW (lpString=".doc") returned 4 [0051.303] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0051.303] lstrlenW (lpString=".docx") returned 5 [0051.303] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0051.303] lstrlenW (lpString=".pdf") returned 4 [0051.303] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0051.304] lstrlenW (lpString=".xls") returned 4 [0051.304] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0051.304] lstrlenW (lpString=".xlsx") returned 5 [0051.304] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0051.304] lstrlenW (lpString=".ppt") returned 4 [0051.304] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0051.304] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0051.304] lstrlenW (lpString=".zip") returned 4 [0051.304] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0051.304] lstrlenW (lpString=".rar") returned 4 [0051.304] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0051.304] lstrlenW (lpString=".bz2") returned 4 [0051.304] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0051.304] lstrlenW (lpString=".7z") returned 3 [0051.304] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0051.304] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0051.304] lstrlenW (lpString=".dbf") returned 4 [0051.304] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0051.304] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0051.304] lstrlenW (lpString=".1cd") returned 4 [0051.304] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0051.304] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0051.304] lstrlenW (lpString=".jpg") returned 4 [0051.304] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0051.305] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0051.305] lstrlenW (lpString="ProjectMUI.xml") returned 14 [0051.305] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0051.307] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=1452) returned 1 [0051.307] CloseHandle (hObject=0x1a8) returned 1 [0051.307] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml")) returned 0x2020 [0051.307] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0051.307] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0051.307] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0051.307] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0051.307] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0051.308] GetLastError () returned 0x0 [0051.308] ReadFile (in: hFile=0x1a8, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x5ac, lpOverlapped=0x0) returned 1 [0051.310] WriteFile (in: hFile=0x194, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0051.311] ReadFile (in: hFile=0x1a8, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0051.311] WriteFile (in: hFile=0x194, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0xf0, lpOverlapped=0x0) returned 1 [0051.311] SetEndOfFile (hFile=0x194) returned 1 [0051.311] CloseHandle (hObject=0x194) returned 1 [0051.312] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0051.312] SetEndOfFile (hFile=0x1a8) returned 1 [0051.313] CloseHandle (hObject=0x1a8) returned 1 [0051.313] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0051.314] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml")) returned 1 [0051.314] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0051.314] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0051.314] lstrlenW (lpString=".doc") returned 4 [0051.314] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0051.314] lstrlenW (lpString=".docx") returned 5 [0051.314] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0051.314] lstrlenW (lpString=".pdf") returned 4 [0051.314] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0051.314] lstrlenW (lpString=".xls") returned 4 [0051.314] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0051.314] lstrlenW (lpString=".xlsx") returned 5 [0051.314] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0051.315] lstrlenW (lpString=".ppt") returned 4 [0051.315] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0051.315] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0051.315] lstrlenW (lpString=".zip") returned 4 [0051.315] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0051.315] lstrlenW (lpString=".rar") returned 4 [0051.315] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0051.315] lstrlenW (lpString=".bz2") returned 4 [0051.315] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0051.315] lstrlenW (lpString=".7z") returned 3 [0051.315] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0051.315] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0051.315] lstrlenW (lpString=".dbf") returned 4 [0051.315] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0051.315] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0051.315] lstrlenW (lpString=".1cd") returned 4 [0051.315] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0051.315] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0051.315] lstrlenW (lpString=".jpg") returned 4 [0051.315] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0051.315] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0051.315] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0051.315] lstrlenW (lpString=".doc") returned 4 [0051.315] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0051.316] lstrlenW (lpString=".docx") returned 5 [0051.316] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0051.316] lstrlenW (lpString=".pdf") returned 4 [0051.316] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0051.316] lstrlenW (lpString=".xls") returned 4 [0051.316] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0051.316] lstrlenW (lpString=".xlsx") returned 5 [0051.316] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0051.316] lstrlenW (lpString=".ppt") returned 4 [0051.316] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0051.316] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0051.316] lstrlenW (lpString=".zip") returned 4 [0051.316] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0051.316] lstrlenW (lpString=".rar") returned 4 [0051.316] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0051.316] lstrlenW (lpString=".bz2") returned 4 [0051.316] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0051.316] lstrlenW (lpString=".7z") returned 3 [0051.316] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0051.316] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0051.316] lstrlenW (lpString=".dbf") returned 4 [0051.316] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0051.316] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0051.316] lstrlenW (lpString=".1cd") returned 4 [0051.316] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0051.316] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0051.316] lstrlenW (lpString=".jpg") returned 4 [0051.316] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0051.317] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0051.317] lstrlenW (lpString="Setup.xml") returned 9 [0051.317] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0051.317] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=1872) returned 1 [0051.317] CloseHandle (hObject=0x1a8) returned 1 [0051.317] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0051.317] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0051.318] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0051.318] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0051.547] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0051.547] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0051.560] GetLastError () returned 0x0 [0051.560] ReadFile (in: hFile=0x1a8, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x750, lpOverlapped=0x0) returned 1 [0051.752] WriteFile (in: hFile=0x184, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0x760, lpOverlapped=0x0) returned 1 [0051.753] ReadFile (in: hFile=0x1a8, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0051.753] WriteFile (in: hFile=0x184, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0051.753] SetEndOfFile (hFile=0x184) returned 1 [0051.753] CloseHandle (hObject=0x184) returned 1 [0051.755] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0051.755] SetEndOfFile (hFile=0x1a8) returned 1 [0051.756] CloseHandle (hObject=0x1a8) returned 1 [0051.756] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0051.757] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0051.757] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.757] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.757] lstrlenW (lpString=".doc") returned 4 [0051.757] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0051.757] lstrlenW (lpString=".docx") returned 5 [0051.757] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0051.757] lstrlenW (lpString=".pdf") returned 4 [0051.757] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0051.757] lstrlenW (lpString=".xls") returned 4 [0051.757] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0051.757] lstrlenW (lpString=".xlsx") returned 5 [0051.757] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0051.757] lstrlenW (lpString=".ppt") returned 4 [0051.757] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0051.757] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.758] lstrlenW (lpString=".zip") returned 4 [0051.758] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0051.758] lstrlenW (lpString=".rar") returned 4 [0051.758] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0051.758] lstrlenW (lpString=".bz2") returned 4 [0051.758] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0051.758] lstrlenW (lpString=".7z") returned 3 [0051.758] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0051.758] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.758] lstrlenW (lpString=".dbf") returned 4 [0051.758] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0051.758] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.758] lstrlenW (lpString=".1cd") returned 4 [0051.758] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0051.758] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.758] lstrlenW (lpString=".jpg") returned 4 [0051.758] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0051.758] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.758] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.758] lstrlenW (lpString=".doc") returned 4 [0051.758] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0051.758] lstrlenW (lpString=".docx") returned 5 [0051.758] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0051.758] lstrlenW (lpString=".pdf") returned 4 [0051.758] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0051.758] lstrlenW (lpString=".xls") returned 4 [0051.758] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0051.758] lstrlenW (lpString=".xlsx") returned 5 [0051.758] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0051.758] lstrlenW (lpString=".ppt") returned 4 [0051.758] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0051.759] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.759] lstrlenW (lpString=".zip") returned 4 [0051.759] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0051.759] lstrlenW (lpString=".rar") returned 4 [0051.759] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0051.759] lstrlenW (lpString=".bz2") returned 4 [0051.759] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0051.759] lstrlenW (lpString=".7z") returned 3 [0051.759] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0051.759] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.759] lstrlenW (lpString=".dbf") returned 4 [0051.759] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0051.759] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.759] lstrlenW (lpString=".1cd") returned 4 [0051.759] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0051.759] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.759] lstrlenW (lpString=".jpg") returned 4 [0051.759] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0051.759] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0051.759] lstrlenW (lpString="Setup.xml") returned 9 [0051.759] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0051.759] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=9352) returned 1 [0051.760] CloseHandle (hObject=0x1a8) returned 1 [0051.760] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0051.760] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0051.760] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0051.760] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0051.760] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0051.760] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0051.760] GetLastError () returned 0x0 [0051.760] ReadFile (in: hFile=0x1a8, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x2488, lpOverlapped=0x0) returned 1 [0051.858] WriteFile (in: hFile=0x184, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0x2490, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0x2490, lpOverlapped=0x0) returned 1 [0051.872] ReadFile (in: hFile=0x1a8, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0051.872] WriteFile (in: hFile=0x184, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0051.872] SetEndOfFile (hFile=0x184) returned 1 [0051.873] CloseHandle (hObject=0x184) returned 1 [0051.884] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0051.884] SetEndOfFile (hFile=0x1a8) returned 1 [0051.891] CloseHandle (hObject=0x1a8) returned 1 [0051.891] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0051.891] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0051.891] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.892] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.892] lstrlenW (lpString=".doc") returned 4 [0051.892] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0051.892] lstrlenW (lpString=".docx") returned 5 [0051.892] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0051.892] lstrlenW (lpString=".pdf") returned 4 [0051.892] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0051.892] lstrlenW (lpString=".xls") returned 4 [0051.892] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0051.892] lstrlenW (lpString=".xlsx") returned 5 [0051.892] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0051.892] lstrlenW (lpString=".ppt") returned 4 [0051.892] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0051.892] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.892] lstrlenW (lpString=".zip") returned 4 [0051.892] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0051.892] lstrlenW (lpString=".rar") returned 4 [0051.892] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0051.892] lstrlenW (lpString=".bz2") returned 4 [0051.892] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0051.892] lstrlenW (lpString=".7z") returned 3 [0051.892] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0051.892] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.892] lstrlenW (lpString=".dbf") returned 4 [0051.892] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0051.892] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.892] lstrlenW (lpString=".1cd") returned 4 [0051.892] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0051.892] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.892] lstrlenW (lpString=".jpg") returned 4 [0051.892] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0051.892] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.892] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.892] lstrlenW (lpString=".doc") returned 4 [0051.892] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0051.892] lstrlenW (lpString=".docx") returned 5 [0051.893] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0051.893] lstrlenW (lpString=".pdf") returned 4 [0051.893] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0051.893] lstrlenW (lpString=".xls") returned 4 [0051.893] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0051.893] lstrlenW (lpString=".xlsx") returned 5 [0051.893] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0051.893] lstrlenW (lpString=".ppt") returned 4 [0051.893] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0051.893] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.893] lstrlenW (lpString=".zip") returned 4 [0051.893] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0051.893] lstrlenW (lpString=".rar") returned 4 [0051.893] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0051.893] lstrlenW (lpString=".bz2") returned 4 [0051.893] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0051.893] lstrlenW (lpString=".7z") returned 3 [0051.893] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0051.893] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.893] lstrlenW (lpString=".dbf") returned 4 [0051.893] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0051.893] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.893] lstrlenW (lpString=".1cd") returned 4 [0051.893] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0051.893] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.893] lstrlenW (lpString=".jpg") returned 4 [0051.893] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0051.893] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0051.893] lstrlenW (lpString="branding.xml") returned 12 [0051.893] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0051.896] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=596341) returned 1 [0051.896] CloseHandle (hObject=0x204) returned 1 [0051.896] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml")) returned 0x2020 [0051.896] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0051.896] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0051.896] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0051.896] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0051.896] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0051.897] GetLastError () returned 0x0 [0051.897] ReadFile (in: hFile=0x204, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x91975, lpOverlapped=0x0) returned 1 [0052.076] WriteFile (in: hFile=0x184, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0x91980, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0x91980, lpOverlapped=0x0) returned 1 [0052.414] ReadFile (in: hFile=0x204, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0052.414] WriteFile (in: hFile=0x184, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.415] SetEndOfFile (hFile=0x184) returned 1 [0052.415] CloseHandle (hObject=0x184) returned 1 [0052.421] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0052.421] SetEndOfFile (hFile=0x204) returned 1 [0052.427] CloseHandle (hObject=0x204) returned 1 [0052.427] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0052.427] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml")) returned 1 [0052.428] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0052.428] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0052.428] lstrlenW (lpString=".doc") returned 4 [0052.428] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0052.428] lstrlenW (lpString=".docx") returned 5 [0052.428] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0052.428] lstrlenW (lpString=".pdf") returned 4 [0052.428] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0052.428] lstrlenW (lpString=".xls") returned 4 [0052.428] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0052.428] lstrlenW (lpString=".xlsx") returned 5 [0052.428] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0052.428] lstrlenW (lpString=".ppt") returned 4 [0052.428] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0052.428] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0052.428] lstrlenW (lpString=".zip") returned 4 [0052.428] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0052.428] lstrlenW (lpString=".rar") returned 4 [0052.428] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0052.428] lstrlenW (lpString=".bz2") returned 4 [0052.428] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0052.428] lstrlenW (lpString=".7z") returned 3 [0052.428] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0052.428] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0052.428] lstrlenW (lpString=".dbf") returned 4 [0052.428] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0052.428] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0052.428] lstrlenW (lpString=".1cd") returned 4 [0052.428] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0052.428] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0052.428] lstrlenW (lpString=".jpg") returned 4 [0052.428] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0052.428] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0052.429] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0052.429] lstrlenW (lpString=".doc") returned 4 [0052.429] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0052.429] lstrlenW (lpString=".docx") returned 5 [0052.429] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0052.429] lstrlenW (lpString=".pdf") returned 4 [0052.429] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0052.429] lstrlenW (lpString=".xls") returned 4 [0052.429] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0052.429] lstrlenW (lpString=".xlsx") returned 5 [0052.429] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0052.429] lstrlenW (lpString=".ppt") returned 4 [0052.429] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0052.429] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0052.429] lstrlenW (lpString=".zip") returned 4 [0052.429] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0052.429] lstrlenW (lpString=".rar") returned 4 [0052.429] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0052.429] lstrlenW (lpString=".bz2") returned 4 [0052.429] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0052.429] lstrlenW (lpString=".7z") returned 3 [0052.429] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0052.429] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0052.429] lstrlenW (lpString=".dbf") returned 4 [0052.429] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0052.429] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0052.429] lstrlenW (lpString=".1cd") returned 4 [0052.429] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0052.429] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0052.429] lstrlenW (lpString=".jpg") returned 4 [0052.429] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0052.429] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0052.430] lstrlenW (lpString="Office32WW.xml") returned 14 [0052.430] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0052.431] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=4274) returned 1 [0052.431] CloseHandle (hObject=0x204) returned 1 [0052.431] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 0x2020 [0052.431] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0052.431] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0052.431] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0052.431] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0052.431] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0052.432] GetLastError () returned 0x0 [0052.432] ReadFile (in: hFile=0x204, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x10b2, lpOverlapped=0x0) returned 1 [0052.779] WriteFile (in: hFile=0x184, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0x10c0, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0x10c0, lpOverlapped=0x0) returned 1 [0052.780] ReadFile (in: hFile=0x204, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0052.780] WriteFile (in: hFile=0x184, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0xf0, lpOverlapped=0x0) returned 1 [0052.781] SetEndOfFile (hFile=0x184) returned 1 [0052.781] CloseHandle (hObject=0x184) returned 1 [0052.782] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0052.782] SetEndOfFile (hFile=0x204) returned 1 [0052.783] CloseHandle (hObject=0x204) returned 1 [0052.783] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0052.783] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 1 [0052.783] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0052.783] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0052.784] lstrlenW (lpString=".doc") returned 4 [0052.784] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0052.784] lstrlenW (lpString=".docx") returned 5 [0052.784] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0052.784] lstrlenW (lpString=".pdf") returned 4 [0052.784] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0052.784] lstrlenW (lpString=".xls") returned 4 [0052.784] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0052.784] lstrlenW (lpString=".xlsx") returned 5 [0052.784] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0052.784] lstrlenW (lpString=".ppt") returned 4 [0052.784] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0052.784] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0052.784] lstrlenW (lpString=".zip") returned 4 [0052.784] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0052.784] lstrlenW (lpString=".rar") returned 4 [0052.784] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0052.784] lstrlenW (lpString=".bz2") returned 4 [0052.784] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0052.784] lstrlenW (lpString=".7z") returned 3 [0052.784] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0052.784] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0052.784] lstrlenW (lpString=".dbf") returned 4 [0052.784] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0052.784] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0052.785] lstrlenW (lpString=".1cd") returned 4 [0052.785] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0052.785] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0052.785] lstrlenW (lpString=".jpg") returned 4 [0052.785] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0052.785] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0052.785] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0052.785] lstrlenW (lpString=".doc") returned 4 [0052.785] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0052.785] lstrlenW (lpString=".docx") returned 5 [0052.785] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0052.785] lstrlenW (lpString=".pdf") returned 4 [0052.785] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0052.785] lstrlenW (lpString=".xls") returned 4 [0052.785] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0052.785] lstrlenW (lpString=".xlsx") returned 5 [0052.785] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0052.785] lstrlenW (lpString=".ppt") returned 4 [0052.785] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0052.785] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0052.785] lstrlenW (lpString=".zip") returned 4 [0052.785] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0052.785] lstrlenW (lpString=".rar") returned 4 [0052.785] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0052.785] lstrlenW (lpString=".bz2") returned 4 [0052.785] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0052.785] lstrlenW (lpString=".7z") returned 3 [0052.785] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0052.785] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0052.785] lstrlenW (lpString=".dbf") returned 4 [0052.785] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0052.785] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0052.785] lstrlenW (lpString=".1cd") returned 4 [0052.785] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0052.786] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0052.786] lstrlenW (lpString=".jpg") returned 4 [0052.786] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0052.786] lstrcmpiW (lpString1=".PNG", lpString2=".bmd") returned 1 [0052.786] lstrlenW (lpString="MS.PNG") returned 6 [0052.786] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0054.895] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=1682) returned 1 [0054.895] CloseHandle (hObject=0x190) returned 1 [0054.895] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png")) returned 0x20 [0054.895] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0054.896] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0054.896] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.896] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.896] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0054.896] GetLastError () returned 0x0 [0054.896] ReadFile (in: hFile=0x190, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x692, lpOverlapped=0x0) returned 1 [0056.160] WriteFile (in: hFile=0x198, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0x6a0, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0x6a0, lpOverlapped=0x0) returned 1 [0056.162] ReadFile (in: hFile=0x190, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0056.166] WriteFile (in: hFile=0x198, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0xe0, lpOverlapped=0x0) returned 1 [0056.166] SetEndOfFile (hFile=0x198) returned 1 [0056.166] CloseHandle (hObject=0x198) returned 1 [0056.167] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.167] SetEndOfFile (hFile=0x190) returned 1 [0056.168] CloseHandle (hObject=0x190) returned 1 [0056.168] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0056.169] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png")) returned 1 [0056.169] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0056.169] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0056.169] lstrlenW (lpString=".doc") returned 4 [0056.169] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0056.169] lstrlenW (lpString=".docx") returned 5 [0056.169] lstrcmpiW (lpString1=".docx", lpString2="S.PNG") returned -1 [0056.169] lstrlenW (lpString=".pdf") returned 4 [0056.169] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0056.169] lstrlenW (lpString=".xls") returned 4 [0056.170] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0056.170] lstrlenW (lpString=".xlsx") returned 5 [0056.170] lstrcmpiW (lpString1=".xlsx", lpString2="S.PNG") returned -1 [0056.170] lstrlenW (lpString=".ppt") returned 4 [0056.170] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0056.171] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0056.171] lstrlenW (lpString=".zip") returned 4 [0056.171] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0056.171] lstrlenW (lpString=".rar") returned 4 [0056.171] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0056.171] lstrlenW (lpString=".bz2") returned 4 [0056.171] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0056.171] lstrlenW (lpString=".7z") returned 3 [0056.171] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0056.171] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0056.171] lstrlenW (lpString=".dbf") returned 4 [0056.171] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0056.171] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0056.171] lstrlenW (lpString=".1cd") returned 4 [0056.171] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0056.171] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0056.171] lstrlenW (lpString=".jpg") returned 4 [0056.171] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0056.171] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0056.171] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0056.171] lstrlenW (lpString=".doc") returned 4 [0056.171] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0056.171] lstrlenW (lpString=".docx") returned 5 [0056.171] lstrcmpiW (lpString1=".docx", lpString2="S.PNG") returned -1 [0056.171] lstrlenW (lpString=".pdf") returned 4 [0056.171] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0056.171] lstrlenW (lpString=".xls") returned 4 [0056.171] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0056.171] lstrlenW (lpString=".xlsx") returned 5 [0056.171] lstrcmpiW (lpString1=".xlsx", lpString2="S.PNG") returned -1 [0056.172] lstrlenW (lpString=".ppt") returned 4 [0056.172] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0056.172] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0056.172] lstrlenW (lpString=".zip") returned 4 [0056.172] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0056.172] lstrlenW (lpString=".rar") returned 4 [0056.172] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0056.172] lstrlenW (lpString=".bz2") returned 4 [0056.172] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0056.172] lstrlenW (lpString=".7z") returned 3 [0056.172] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0056.172] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0056.172] lstrlenW (lpString=".dbf") returned 4 [0056.172] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0056.172] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0056.172] lstrlenW (lpString=".1cd") returned 4 [0056.172] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0056.172] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0056.172] lstrlenW (lpString=".jpg") returned 4 [0056.172] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0056.172] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0056.172] lstrlenW (lpString="Content.xml") returned 11 [0056.172] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0057.768] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=27045) returned 1 [0057.768] CloseHandle (hObject=0x1a0) returned 1 [0057.768] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml")) returned 0x20 [0057.768] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0057.768] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0057.768] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0057.768] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0057.769] lstrlenW (lpString=".doc") returned 4 [0057.769] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0057.769] lstrlenW (lpString=".docx") returned 5 [0057.769] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0057.769] lstrlenW (lpString=".pdf") returned 4 [0057.769] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0057.769] lstrlenW (lpString=".xls") returned 4 [0057.769] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0057.769] lstrlenW (lpString=".xlsx") returned 5 [0057.769] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0057.769] lstrlenW (lpString=".ppt") returned 4 [0057.769] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0057.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0057.769] lstrlenW (lpString=".zip") returned 4 [0057.769] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0057.769] lstrlenW (lpString=".rar") returned 4 [0057.769] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0057.769] lstrlenW (lpString=".bz2") returned 4 [0057.769] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0057.769] lstrlenW (lpString=".7z") returned 3 [0057.769] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0057.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0057.769] lstrlenW (lpString=".dbf") returned 4 [0057.769] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0057.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0057.769] lstrlenW (lpString=".1cd") returned 4 [0057.769] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0057.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0057.770] lstrlenW (lpString=".jpg") returned 4 [0057.770] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0057.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0057.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0057.770] lstrlenW (lpString=".doc") returned 4 [0057.770] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0057.770] lstrlenW (lpString=".docx") returned 5 [0057.770] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0057.770] lstrlenW (lpString=".pdf") returned 4 [0057.770] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0057.770] lstrlenW (lpString=".xls") returned 4 [0057.770] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0057.770] lstrlenW (lpString=".xlsx") returned 5 [0057.770] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0057.770] lstrlenW (lpString=".ppt") returned 4 [0057.770] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0057.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0057.770] lstrlenW (lpString=".zip") returned 4 [0057.770] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0057.770] lstrlenW (lpString=".rar") returned 4 [0057.770] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0057.770] lstrlenW (lpString=".bz2") returned 4 [0057.770] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0057.770] lstrlenW (lpString=".7z") returned 3 [0057.770] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0057.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0057.770] lstrlenW (lpString=".dbf") returned 4 [0057.771] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0057.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0057.771] lstrlenW (lpString=".1cd") returned 4 [0057.771] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0057.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0057.771] lstrlenW (lpString=".jpg") returned 4 [0057.771] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0057.771] lstrcmpiW (lpString1=".avi", lpString2=".bmd") returned -1 [0057.771] lstrlenW (lpString="boxed-correct.avi") returned 17 [0057.771] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0058.011] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=89600) returned 1 [0058.011] CloseHandle (hObject=0x1d0) returned 1 [0058.011] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi")) returned 0x20 [0058.011] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0058.012] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0058.012] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0058.012] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0058.012] lstrlenW (lpString=".doc") returned 4 [0058.012] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0058.012] lstrlenW (lpString=".docx") returned 5 [0058.012] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0058.012] lstrlenW (lpString=".pdf") returned 4 [0058.012] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0058.012] lstrlenW (lpString=".xls") returned 4 [0058.012] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0058.012] lstrlenW (lpString=".xlsx") returned 5 [0058.012] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0058.012] lstrlenW (lpString=".ppt") returned 4 [0058.012] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0058.012] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0058.012] lstrlenW (lpString=".zip") returned 4 [0058.012] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0058.012] lstrlenW (lpString=".rar") returned 4 [0058.012] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0058.012] lstrlenW (lpString=".bz2") returned 4 [0058.012] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0058.012] lstrlenW (lpString=".7z") returned 3 [0058.013] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0058.013] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0058.013] lstrlenW (lpString=".dbf") returned 4 [0058.013] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0058.013] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0058.013] lstrlenW (lpString=".1cd") returned 4 [0058.013] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0058.013] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0058.013] lstrlenW (lpString=".jpg") returned 4 [0058.013] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0058.013] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0058.013] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0058.013] lstrlenW (lpString=".doc") returned 4 [0058.013] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0058.013] lstrlenW (lpString=".docx") returned 5 [0058.013] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0058.013] lstrlenW (lpString=".pdf") returned 4 [0058.013] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0058.013] lstrlenW (lpString=".xls") returned 4 [0058.013] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0058.013] lstrlenW (lpString=".xlsx") returned 5 [0058.013] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0058.013] lstrlenW (lpString=".ppt") returned 4 [0058.013] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0058.013] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0058.013] lstrlenW (lpString=".zip") returned 4 [0058.013] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0058.014] lstrlenW (lpString=".rar") returned 4 [0058.014] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0058.014] lstrlenW (lpString=".bz2") returned 4 [0058.014] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0058.014] lstrlenW (lpString=".7z") returned 3 [0058.014] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0058.014] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0058.014] lstrlenW (lpString=".dbf") returned 4 [0058.014] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0058.014] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0058.014] lstrlenW (lpString=".1cd") returned 4 [0058.014] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0058.014] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0058.014] lstrlenW (lpString=".jpg") returned 4 [0058.014] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0058.014] lstrcmpiW (lpString1=".avi", lpString2=".bmd") returned -1 [0058.014] lstrlenW (lpString="boxed-split.avi") returned 15 [0058.014] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0058.015] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=62976) returned 1 [0058.015] CloseHandle (hObject=0x1d0) returned 1 [0058.015] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi")) returned 0x20 [0058.015] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0058.015] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0058.015] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0058.015] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0058.015] lstrlenW (lpString=".doc") returned 4 [0058.015] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0058.015] lstrlenW (lpString=".docx") returned 5 [0058.015] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0058.015] lstrlenW (lpString=".pdf") returned 4 [0058.015] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0058.015] lstrlenW (lpString=".xls") returned 4 [0058.015] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0058.015] lstrlenW (lpString=".xlsx") returned 5 [0058.016] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0058.016] lstrlenW (lpString=".ppt") returned 4 [0058.016] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0058.016] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0058.016] lstrlenW (lpString=".zip") returned 4 [0058.016] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0058.016] lstrlenW (lpString=".rar") returned 4 [0058.016] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0058.016] lstrlenW (lpString=".bz2") returned 4 [0058.016] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0058.016] lstrlenW (lpString=".7z") returned 3 [0058.016] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0058.016] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0058.016] lstrlenW (lpString=".dbf") returned 4 [0058.016] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0058.016] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0058.016] lstrlenW (lpString=".1cd") returned 4 [0058.016] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0058.016] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0058.016] lstrlenW (lpString=".jpg") returned 4 [0058.016] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0058.016] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0058.016] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0058.016] lstrlenW (lpString=".doc") returned 4 [0058.016] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0058.016] lstrlenW (lpString=".docx") returned 5 [0058.016] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0058.016] lstrlenW (lpString=".pdf") returned 4 [0058.017] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0058.017] lstrlenW (lpString=".xls") returned 4 [0058.017] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0058.017] lstrlenW (lpString=".xlsx") returned 5 [0058.017] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0058.017] lstrlenW (lpString=".ppt") returned 4 [0058.017] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0058.017] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0058.017] lstrlenW (lpString=".zip") returned 4 [0058.017] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0058.017] lstrlenW (lpString=".rar") returned 4 [0058.017] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0058.017] lstrlenW (lpString=".bz2") returned 4 [0058.017] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0058.017] lstrlenW (lpString=".7z") returned 3 [0058.017] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0058.017] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0058.017] lstrlenW (lpString=".dbf") returned 4 [0058.017] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0058.017] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0058.017] lstrlenW (lpString=".1cd") returned 4 [0058.017] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0058.017] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0058.017] lstrlenW (lpString=".jpg") returned 4 [0058.017] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0058.018] lstrcmpiW (lpString1=".avi", lpString2=".bmd") returned -1 [0058.018] lstrlenW (lpString="correct.avi") returned 11 [0058.018] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0058.018] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=197120) returned 1 [0058.018] CloseHandle (hObject=0x1d0) returned 1 [0058.018] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi")) returned 0x20 [0058.018] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0058.018] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0058.018] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0058.018] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0058.018] lstrlenW (lpString=".doc") returned 4 [0058.019] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0058.019] lstrlenW (lpString=".docx") returned 5 [0058.019] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0058.019] lstrlenW (lpString=".pdf") returned 4 [0058.019] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0058.019] lstrlenW (lpString=".xls") returned 4 [0058.019] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0058.019] lstrlenW (lpString=".xlsx") returned 5 [0058.019] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0058.019] lstrlenW (lpString=".ppt") returned 4 [0058.019] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0058.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0058.019] lstrlenW (lpString=".zip") returned 4 [0058.019] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0058.019] lstrlenW (lpString=".rar") returned 4 [0058.019] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0058.019] lstrlenW (lpString=".bz2") returned 4 [0058.019] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0058.019] lstrlenW (lpString=".7z") returned 3 [0058.019] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0058.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0058.019] lstrlenW (lpString=".dbf") returned 4 [0058.019] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0058.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0058.019] lstrlenW (lpString=".1cd") returned 4 [0058.019] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0058.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0058.019] lstrlenW (lpString=".jpg") returned 4 [0058.019] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0058.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0058.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0058.020] lstrlenW (lpString=".doc") returned 4 [0058.020] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0058.020] lstrlenW (lpString=".docx") returned 5 [0058.020] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0058.020] lstrlenW (lpString=".pdf") returned 4 [0058.020] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0058.020] lstrlenW (lpString=".xls") returned 4 [0058.020] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0058.020] lstrlenW (lpString=".xlsx") returned 5 [0058.020] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0058.020] lstrlenW (lpString=".ppt") returned 4 [0058.020] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0058.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0058.020] lstrlenW (lpString=".zip") returned 4 [0058.020] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0058.020] lstrlenW (lpString=".rar") returned 4 [0058.020] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0058.020] lstrlenW (lpString=".bz2") returned 4 [0058.020] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0058.020] lstrlenW (lpString=".7z") returned 3 [0058.020] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0058.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0058.020] lstrlenW (lpString=".dbf") returned 4 [0058.020] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0058.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0058.020] lstrlenW (lpString=".1cd") returned 4 [0058.021] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0058.021] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0058.021] lstrlenW (lpString=".jpg") returned 4 [0058.021] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0058.021] lstrcmpiW (lpString1=".avi", lpString2=".bmd") returned -1 [0058.021] lstrlenW (lpString="delete.avi") returned 10 [0058.021] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0058.022] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=224256) returned 1 [0058.022] CloseHandle (hObject=0x1d0) returned 1 [0058.022] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi")) returned 0x20 [0058.022] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0058.022] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0058.022] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0058.023] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0058.023] lstrlenW (lpString=".doc") returned 4 [0058.023] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0058.023] lstrlenW (lpString=".docx") returned 5 [0058.023] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0058.023] lstrlenW (lpString=".pdf") returned 4 [0058.023] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0058.023] lstrlenW (lpString=".xls") returned 4 [0058.023] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0058.023] lstrlenW (lpString=".xlsx") returned 5 [0058.023] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0058.023] lstrlenW (lpString=".ppt") returned 4 [0058.023] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0058.023] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0058.023] lstrlenW (lpString=".zip") returned 4 [0058.023] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0058.023] lstrlenW (lpString=".rar") returned 4 [0058.023] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0058.023] lstrlenW (lpString=".bz2") returned 4 [0058.023] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0058.023] lstrlenW (lpString=".7z") returned 3 [0058.023] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0058.023] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0058.023] lstrlenW (lpString=".dbf") returned 4 [0058.023] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0058.023] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0058.023] lstrlenW (lpString=".1cd") returned 4 [0058.023] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0058.023] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0058.024] lstrlenW (lpString=".jpg") returned 4 [0058.024] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0058.024] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0058.024] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0058.024] lstrlenW (lpString=".doc") returned 4 [0058.024] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0058.024] lstrlenW (lpString=".docx") returned 5 [0058.024] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0058.024] lstrlenW (lpString=".pdf") returned 4 [0058.024] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0058.024] lstrlenW (lpString=".xls") returned 4 [0058.024] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0058.024] lstrlenW (lpString=".xlsx") returned 5 [0058.024] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0058.024] lstrlenW (lpString=".ppt") returned 4 [0058.024] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0058.024] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0058.024] lstrlenW (lpString=".zip") returned 4 [0058.024] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0058.024] lstrlenW (lpString=".rar") returned 4 [0058.024] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0058.024] lstrlenW (lpString=".bz2") returned 4 [0058.024] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0058.024] lstrlenW (lpString=".7z") returned 3 [0058.024] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0058.024] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0058.024] lstrlenW (lpString=".dbf") returned 4 [0058.025] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0058.025] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0058.025] lstrlenW (lpString=".1cd") returned 4 [0058.025] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0058.025] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0058.025] lstrlenW (lpString=".jpg") returned 4 [0058.025] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0058.025] lstrcmpiW (lpString1=".avi", lpString2=".bmd") returned -1 [0058.025] lstrlenW (lpString="join.avi") returned 8 [0058.025] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0058.025] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=222208) returned 1 [0058.025] CloseHandle (hObject=0x1d0) returned 1 [0058.025] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi")) returned 0x20 [0058.026] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0058.026] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0058.026] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0058.026] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0058.026] lstrlenW (lpString=".doc") returned 4 [0058.026] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0058.026] lstrlenW (lpString=".docx") returned 5 [0058.026] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0058.026] lstrlenW (lpString=".pdf") returned 4 [0058.026] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0058.026] lstrlenW (lpString=".xls") returned 4 [0058.026] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0058.026] lstrlenW (lpString=".xlsx") returned 5 [0058.026] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0058.026] lstrlenW (lpString=".ppt") returned 4 [0058.026] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0058.026] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0058.027] lstrlenW (lpString=".zip") returned 4 [0058.027] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0058.027] lstrlenW (lpString=".rar") returned 4 [0058.027] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0058.027] lstrlenW (lpString=".bz2") returned 4 [0058.027] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0058.027] lstrlenW (lpString=".7z") returned 3 [0058.027] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0058.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0058.027] lstrlenW (lpString=".dbf") returned 4 [0058.027] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0058.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0058.027] lstrlenW (lpString=".1cd") returned 4 [0058.027] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0058.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0058.027] lstrlenW (lpString=".jpg") returned 4 [0058.027] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0058.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0058.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0058.027] lstrlenW (lpString=".doc") returned 4 [0058.027] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0058.027] lstrlenW (lpString=".docx") returned 5 [0058.027] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0058.027] lstrlenW (lpString=".pdf") returned 4 [0058.027] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0058.027] lstrlenW (lpString=".xls") returned 4 [0058.027] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0058.027] lstrlenW (lpString=".xlsx") returned 5 [0058.028] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0058.028] lstrlenW (lpString=".ppt") returned 4 [0058.028] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0058.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0058.028] lstrlenW (lpString=".zip") returned 4 [0058.028] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0058.028] lstrlenW (lpString=".rar") returned 4 [0058.028] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0058.028] lstrlenW (lpString=".bz2") returned 4 [0058.028] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0058.028] lstrlenW (lpString=".7z") returned 3 [0058.028] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0058.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0058.028] lstrlenW (lpString=".dbf") returned 4 [0058.028] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0058.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0058.028] lstrlenW (lpString=".1cd") returned 4 [0058.028] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0058.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0058.028] lstrlenW (lpString=".jpg") returned 4 [0058.028] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0058.028] lstrcmpiW (lpString1=".avi", lpString2=".bmd") returned -1 [0058.028] lstrlenW (lpString="split.avi") returned 9 [0058.029] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0058.029] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=194048) returned 1 [0058.029] CloseHandle (hObject=0x1d0) returned 1 [0058.029] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi")) returned 0x20 [0058.029] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0058.029] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0058.029] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0058.029] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0058.029] lstrlenW (lpString=".doc") returned 4 [0058.029] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0058.029] lstrlenW (lpString=".docx") returned 5 [0058.029] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0058.029] lstrlenW (lpString=".pdf") returned 4 [0058.029] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0058.030] lstrlenW (lpString=".xls") returned 4 [0058.030] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0058.030] lstrlenW (lpString=".xlsx") returned 5 [0058.030] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0058.030] lstrlenW (lpString=".ppt") returned 4 [0058.030] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0058.030] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0058.030] lstrlenW (lpString=".zip") returned 4 [0058.030] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0058.030] lstrlenW (lpString=".rar") returned 4 [0058.030] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0058.030] lstrlenW (lpString=".bz2") returned 4 [0058.030] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0058.030] lstrlenW (lpString=".7z") returned 3 [0058.030] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0058.030] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0058.030] lstrlenW (lpString=".dbf") returned 4 [0058.030] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0058.031] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0 [0058.331] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=1434) returned 1 [0058.331] CloseHandle (hObject=0x208) returned 1 [0058.332] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml")) returned 0x20 [0058.332] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0058.332] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0058.332] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.332] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0058.332] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.332] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.332] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0058.332] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.332] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.333] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.333] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.333] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.333] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.333] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.333] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.333] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0058.333] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0058.333] lstrlenW (lpString=".doc") returned 4 [0058.333] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.333] lstrlenW (lpString=".docx") returned 5 [0058.333] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0058.333] lstrlenW (lpString=".pdf") returned 4 [0058.333] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.333] lstrlenW (lpString=".xls") returned 4 [0058.333] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.333] lstrlenW (lpString=".xlsx") returned 5 [0058.333] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0058.333] lstrlenW (lpString=".ppt") returned 4 [0058.333] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.333] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0058.334] lstrlenW (lpString=".zip") returned 4 [0058.334] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.334] lstrlenW (lpString=".rar") returned 4 [0058.334] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.334] lstrlenW (lpString=".bz2") returned 4 [0058.334] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.334] lstrlenW (lpString=".7z") returned 3 [0058.334] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.334] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0058.334] lstrlenW (lpString=".dbf") returned 4 [0058.334] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.334] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0058.334] lstrlenW (lpString=".1cd") returned 4 [0058.334] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.334] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0058.334] lstrlenW (lpString=".jpg") returned 4 [0058.334] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.334] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0058.335] lstrlenW (lpString="kor-kor.xml") returned 11 [0058.335] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0058.657] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=392) returned 1 [0058.670] CloseHandle (hObject=0x20c) returned 1 [0058.671] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml")) returned 0x20 [0058.675] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0058.675] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0058.675] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0058.675] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0058.675] lstrlenW (lpString=".doc") returned 4 [0058.675] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.676] lstrlenW (lpString=".docx") returned 5 [0058.676] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0058.676] lstrlenW (lpString=".pdf") returned 4 [0058.676] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.676] lstrlenW (lpString=".xls") returned 4 [0058.676] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.676] lstrlenW (lpString=".xlsx") returned 5 [0058.676] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0058.676] lstrlenW (lpString=".ppt") returned 4 [0058.676] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.676] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0058.676] lstrlenW (lpString=".zip") returned 4 [0058.676] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.676] lstrlenW (lpString=".rar") returned 4 [0058.676] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.676] lstrlenW (lpString=".bz2") returned 4 [0058.676] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.676] lstrlenW (lpString=".7z") returned 3 [0058.676] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.676] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0058.676] lstrlenW (lpString=".dbf") returned 4 [0058.676] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.676] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0058.676] lstrlenW (lpString=".1cd") returned 4 [0058.676] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.676] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0058.676] lstrlenW (lpString=".jpg") returned 4 [0058.676] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.676] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0058.676] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0058.676] lstrlenW (lpString=".doc") returned 4 [0058.676] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.676] lstrlenW (lpString=".docx") returned 5 [0058.676] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0058.677] lstrlenW (lpString=".pdf") returned 4 [0058.677] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.677] lstrlenW (lpString=".xls") returned 4 [0058.677] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.677] lstrlenW (lpString=".xlsx") returned 5 [0058.677] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0058.677] lstrlenW (lpString=".ppt") returned 4 [0058.677] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.677] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0058.677] lstrlenW (lpString=".zip") returned 4 [0058.677] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.677] lstrlenW (lpString=".rar") returned 4 [0058.677] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.677] lstrlenW (lpString=".bz2") returned 4 [0058.677] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.677] lstrlenW (lpString=".7z") returned 3 [0058.677] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.677] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0058.677] lstrlenW (lpString=".dbf") returned 4 [0058.677] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.677] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0058.677] lstrlenW (lpString=".1cd") returned 4 [0058.677] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.677] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0058.677] lstrlenW (lpString=".jpg") returned 4 [0058.677] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.677] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0058.677] lstrlenW (lpString="numbase.xml") returned 11 [0058.677] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers\\numbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0058.678] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=1218) returned 1 [0058.678] CloseHandle (hObject=0x20c) returned 1 [0058.678] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers\\numbase.xml")) returned 0x20 [0058.678] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers\\numbase.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0058.678] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers\\numbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0058.678] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml") returned 84 [0058.678] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml") returned 84 [0058.678] lstrlenW (lpString=".doc") returned 4 [0058.678] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.678] lstrlenW (lpString=".docx") returned 5 [0058.678] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0058.678] lstrlenW (lpString=".pdf") returned 4 [0058.678] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.678] lstrlenW (lpString=".xls") returned 4 [0058.678] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.679] lstrlenW (lpString=".xlsx") returned 5 [0058.679] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0058.679] lstrlenW (lpString=".ppt") returned 4 [0058.679] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.679] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml") returned 84 [0058.679] lstrlenW (lpString=".zip") returned 4 [0058.679] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.679] lstrlenW (lpString=".rar") returned 4 [0058.679] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.679] lstrlenW (lpString=".bz2") returned 4 [0058.679] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.679] lstrlenW (lpString=".7z") returned 3 [0058.679] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.679] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml") returned 84 [0058.679] lstrlenW (lpString=".dbf") returned 4 [0058.679] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.679] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml") returned 84 [0058.679] lstrlenW (lpString=".1cd") returned 4 [0058.679] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.679] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml") returned 84 [0058.679] lstrlenW (lpString=".jpg") returned 4 [0058.679] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.679] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml") returned 84 [0058.679] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml") returned 84 [0058.679] lstrlenW (lpString=".doc") returned 4 [0058.679] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.680] lstrlenW (lpString=".docx") returned 5 [0058.680] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0058.680] lstrlenW (lpString=".pdf") returned 4 [0058.680] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.680] lstrlenW (lpString=".xls") returned 4 [0058.680] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.680] lstrlenW (lpString=".xlsx") returned 5 [0058.680] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0058.680] lstrlenW (lpString=".ppt") returned 4 [0058.680] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.680] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml") returned 84 [0058.680] lstrlenW (lpString=".zip") returned 4 [0058.680] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.680] lstrlenW (lpString=".rar") returned 4 [0058.680] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.680] lstrlenW (lpString=".bz2") returned 4 [0058.680] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.680] lstrlenW (lpString=".7z") returned 3 [0058.873] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0058.873] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0058.873] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0058.874] GetLastError () returned 0x0 [0058.874] ReadFile (in: hFile=0x184, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x795, lpOverlapped=0x0) returned 1 [0058.886] WriteFile (in: hFile=0x20c, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0x7a0, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0x7a0, lpOverlapped=0x0) returned 1 [0058.915] ReadFile (in: hFile=0x184, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0058.915] WriteFile (in: hFile=0x20c, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0xe8, lpOverlapped=0x0) returned 1 [0058.933] SetEndOfFile (hFile=0x20c) returned 1 [0058.934] CloseHandle (hObject=0x20c) returned 1 [0058.935] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0058.935] SetEndOfFile (hFile=0x184) returned 1 [0058.936] CloseHandle (hObject=0x184) returned 1 [0058.936] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0058.936] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm")) returned 1 [0058.936] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0058.936] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0058.936] lstrlenW (lpString=".doc") returned 4 [0058.936] lstrcmpiW (lpString1=".doc", lpString2=".HTM") returned -1 [0058.936] lstrlenW (lpString=".docx") returned 5 [0058.936] lstrcmpiW (lpString1=".docx", lpString2="E.HTM") returned -1 [0058.936] lstrlenW (lpString=".pdf") returned 4 [0058.936] lstrcmpiW (lpString1=".pdf", lpString2=".HTM") returned 1 [0058.936] lstrlenW (lpString=".xls") returned 4 [0058.936] lstrcmpiW (lpString1=".xls", lpString2=".HTM") returned 1 [0058.937] lstrlenW (lpString=".xlsx") returned 5 [0058.937] lstrcmpiW (lpString1=".xlsx", lpString2="E.HTM") returned -1 [0058.937] lstrlenW (lpString=".ppt") returned 4 [0058.937] lstrcmpiW (lpString1=".ppt", lpString2=".HTM") returned 1 [0058.937] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0058.937] lstrlenW (lpString=".zip") returned 4 [0058.937] lstrcmpiW (lpString1=".zip", lpString2=".HTM") returned 1 [0058.937] lstrlenW (lpString=".rar") returned 4 [0058.937] lstrcmpiW (lpString1=".rar", lpString2=".HTM") returned 1 [0058.937] lstrlenW (lpString=".bz2") returned 4 [0058.937] lstrcmpiW (lpString1=".bz2", lpString2=".HTM") returned -1 [0058.937] lstrlenW (lpString=".7z") returned 3 [0058.937] lstrcmpiW (lpString1=".7z", lpString2="HTM") returned -1 [0058.937] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0058.937] lstrlenW (lpString=".dbf") returned 4 [0058.937] lstrcmpiW (lpString1=".dbf", lpString2=".HTM") returned -1 [0058.937] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0058.937] lstrlenW (lpString=".1cd") returned 4 [0058.937] lstrcmpiW (lpString1=".1cd", lpString2=".HTM") returned -1 [0058.937] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0058.937] lstrlenW (lpString=".jpg") returned 4 [0058.937] lstrcmpiW (lpString1=".jpg", lpString2=".HTM") returned 1 [0058.937] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0058.937] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0058.937] lstrlenW (lpString=".doc") returned 4 [0058.937] lstrcmpiW (lpString1=".doc", lpString2=".HTM") returned -1 [0058.937] lstrlenW (lpString=".docx") returned 5 [0058.937] lstrcmpiW (lpString1=".docx", lpString2="E.HTM") returned -1 [0058.937] lstrlenW (lpString=".pdf") returned 4 [0058.937] lstrcmpiW (lpString1=".pdf", lpString2=".HTM") returned 1 [0058.937] lstrlenW (lpString=".xls") returned 4 [0058.937] lstrcmpiW (lpString1=".xls", lpString2=".HTM") returned 1 [0058.937] lstrlenW (lpString=".xlsx") returned 5 [0058.937] lstrcmpiW (lpString1=".xlsx", lpString2="E.HTM") returned -1 [0058.937] lstrlenW (lpString=".ppt") returned 4 [0058.938] lstrcmpiW (lpString1=".ppt", lpString2=".HTM") returned 1 [0058.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0058.938] lstrlenW (lpString=".zip") returned 4 [0058.938] lstrcmpiW (lpString1=".zip", lpString2=".HTM") returned 1 [0058.938] lstrlenW (lpString=".rar") returned 4 [0058.938] lstrcmpiW (lpString1=".rar", lpString2=".HTM") returned 1 [0058.938] lstrlenW (lpString=".bz2") returned 4 [0058.938] lstrcmpiW (lpString1=".bz2", lpString2=".HTM") returned -1 [0058.938] lstrlenW (lpString=".7z") returned 3 [0058.938] lstrcmpiW (lpString1=".7z", lpString2="HTM") returned -1 [0058.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0058.938] lstrlenW (lpString=".dbf") returned 4 [0058.938] lstrcmpiW (lpString1=".dbf", lpString2=".HTM") returned -1 [0058.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0058.938] lstrlenW (lpString=".1cd") returned 4 [0058.938] lstrcmpiW (lpString1=".1cd", lpString2=".HTM") returned -1 [0058.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0058.938] lstrlenW (lpString=".jpg") returned 4 [0058.938] lstrcmpiW (lpString1=".jpg", lpString2=".HTM") returned 1 [0058.938] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0058.938] lstrlenW (lpString="SETUP.XML") returned 9 [0058.938] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0059.138] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=2624) returned 1 [0059.138] CloseHandle (hObject=0x1d0) returned 1 [0059.138] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml")) returned 0x20 [0059.138] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0059.139] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0059.139] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0059.139] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0059.139] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0059.139] GetLastError () returned 0x0 [0059.139] ReadFile (in: hFile=0x1d0, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0xa40, lpOverlapped=0x0) returned 1 [0059.141] WriteFile (in: hFile=0x208, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0xa50, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0xa50, lpOverlapped=0x0) returned 1 [0059.142] ReadFile (in: hFile=0x1d0, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0059.142] WriteFile (in: hFile=0x208, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0059.142] SetEndOfFile (hFile=0x208) returned 1 [0059.142] CloseHandle (hObject=0x208) returned 1 [0059.143] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0059.143] SetEndOfFile (hFile=0x1d0) returned 1 [0059.144] CloseHandle (hObject=0x1d0) returned 1 [0059.144] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0059.145] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml")) returned 1 [0059.145] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0059.145] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0059.145] lstrlenW (lpString=".doc") returned 4 [0059.145] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0059.145] lstrlenW (lpString=".docx") returned 5 [0059.145] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0059.145] lstrlenW (lpString=".pdf") returned 4 [0059.145] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0059.145] lstrlenW (lpString=".xls") returned 4 [0059.145] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0059.145] lstrlenW (lpString=".xlsx") returned 5 [0059.145] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0059.145] lstrlenW (lpString=".ppt") returned 4 [0059.145] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0059.145] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0059.145] lstrlenW (lpString=".zip") returned 4 [0059.145] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0059.145] lstrlenW (lpString=".rar") returned 4 [0059.145] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0059.146] lstrlenW (lpString=".bz2") returned 4 [0059.146] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0059.146] lstrlenW (lpString=".7z") returned 3 [0059.146] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0059.146] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0059.146] lstrlenW (lpString=".dbf") returned 4 [0059.146] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0059.146] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0059.146] lstrlenW (lpString=".1cd") returned 4 [0059.146] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0059.146] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0059.146] lstrlenW (lpString=".jpg") returned 4 [0059.146] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0059.146] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0059.146] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0059.146] lstrlenW (lpString=".doc") returned 4 [0059.146] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0059.146] lstrlenW (lpString=".docx") returned 5 [0059.146] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0059.146] lstrlenW (lpString=".pdf") returned 4 [0059.146] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0059.146] lstrlenW (lpString=".xls") returned 4 [0059.146] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0059.146] lstrlenW (lpString=".xlsx") returned 5 [0059.146] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0059.146] lstrlenW (lpString=".ppt") returned 4 [0059.146] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0059.147] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0059.147] lstrlenW (lpString=".zip") returned 4 [0059.147] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0059.147] lstrlenW (lpString=".rar") returned 4 [0059.147] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0059.147] lstrlenW (lpString=".bz2") returned 4 [0059.147] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0059.147] lstrlenW (lpString=".7z") returned 3 [0059.147] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0059.147] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0059.147] lstrlenW (lpString=".dbf") returned 4 [0059.147] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0059.147] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0059.147] lstrlenW (lpString=".1cd") returned 4 [0059.147] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0059.147] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0059.147] lstrlenW (lpString=".jpg") returned 4 [0059.147] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0059.147] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0059.147] lstrlenW (lpString="ExcelMUI.XML") returned 12 [0059.147] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0059.148] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=1565) returned 1 [0059.148] CloseHandle (hObject=0x1d0) returned 1 [0059.148] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml")) returned 0x20 [0059.148] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0059.148] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0059.148] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0059.148] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0059.148] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0059.148] GetLastError () returned 0x0 [0059.149] ReadFile (in: hFile=0x1d0, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x61d, lpOverlapped=0x0) returned 1 [0059.150] WriteFile (in: hFile=0x208, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0x620, lpOverlapped=0x0) returned 1 [0059.151] ReadFile (in: hFile=0x1d0, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0059.151] WriteFile (in: hFile=0x208, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0xec, lpOverlapped=0x0) returned 1 [0059.152] SetEndOfFile (hFile=0x208) returned 1 [0059.152] CloseHandle (hObject=0x208) returned 1 [0059.152] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0059.153] SetEndOfFile (hFile=0x1d0) returned 1 [0059.153] CloseHandle (hObject=0x1d0) returned 1 [0059.153] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0059.154] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml")) returned 1 [0059.154] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0059.154] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0059.154] lstrlenW (lpString=".doc") returned 4 [0059.154] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0059.154] lstrlenW (lpString=".docx") returned 5 [0059.154] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0059.154] lstrlenW (lpString=".pdf") returned 4 [0059.154] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0059.154] lstrlenW (lpString=".xls") returned 4 [0059.154] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0059.154] lstrlenW (lpString=".xlsx") returned 5 [0059.154] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0059.154] lstrlenW (lpString=".ppt") returned 4 [0059.154] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0059.154] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0059.154] lstrlenW (lpString=".zip") returned 4 [0059.154] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0059.154] lstrlenW (lpString=".rar") returned 4 [0059.154] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0059.154] lstrlenW (lpString=".bz2") returned 4 [0059.154] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0059.154] lstrlenW (lpString=".7z") returned 3 [0059.154] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0059.155] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0059.155] lstrlenW (lpString=".dbf") returned 4 [0059.155] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0059.155] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0059.155] lstrlenW (lpString=".1cd") returned 4 [0059.155] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0059.155] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0059.155] lstrlenW (lpString=".jpg") returned 4 [0059.155] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0059.155] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0059.155] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0059.155] lstrlenW (lpString=".doc") returned 4 [0059.155] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0059.155] lstrlenW (lpString=".docx") returned 5 [0059.155] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0059.155] lstrlenW (lpString=".pdf") returned 4 [0059.155] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0059.155] lstrlenW (lpString=".xls") returned 4 [0059.155] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0059.155] lstrlenW (lpString=".xlsx") returned 5 [0059.155] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0059.155] lstrlenW (lpString=".ppt") returned 4 [0059.155] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0059.155] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0059.155] lstrlenW (lpString=".zip") returned 4 [0059.155] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0059.155] lstrlenW (lpString=".rar") returned 4 [0059.155] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0059.155] lstrlenW (lpString=".bz2") returned 4 [0059.155] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0059.155] lstrlenW (lpString=".7z") returned 3 [0059.155] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0059.155] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0059.155] lstrlenW (lpString=".dbf") returned 4 [0059.156] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0059.156] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0059.156] lstrlenW (lpString=".1cd") returned 4 [0059.156] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0059.156] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0059.156] lstrlenW (lpString=".jpg") returned 4 [0059.156] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0059.156] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0059.156] lstrlenW (lpString="SETUP.XML") returned 9 [0059.156] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0059.157] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=2296) returned 1 [0059.157] CloseHandle (hObject=0x1d0) returned 1 [0059.157] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml")) returned 0x20 [0059.157] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0059.158] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0059.158] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0059.158] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0059.158] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0059.421] GetLastError () returned 0x0 [0059.421] ReadFile (in: hFile=0x1d0, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x8f8, lpOverlapped=0x0) returned 1 [0059.423] WriteFile (in: hFile=0x184, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0x900, lpOverlapped=0x0) returned 1 [0059.424] ReadFile (in: hFile=0x1d0, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0059.424] WriteFile (in: hFile=0x184, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0059.424] SetEndOfFile (hFile=0x184) returned 1 [0059.425] CloseHandle (hObject=0x184) returned 1 [0059.427] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0059.427] SetEndOfFile (hFile=0x1d0) returned 1 [0059.428] CloseHandle (hObject=0x1d0) returned 1 [0059.428] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0059.428] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml")) returned 1 [0059.429] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0059.429] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0059.429] lstrlenW (lpString=".doc") returned 4 [0059.429] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0059.429] lstrlenW (lpString=".docx") returned 5 [0059.429] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0059.429] lstrlenW (lpString=".pdf") returned 4 [0059.429] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0059.429] lstrlenW (lpString=".xls") returned 4 [0059.429] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0059.429] lstrlenW (lpString=".xlsx") returned 5 [0059.429] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0059.429] lstrlenW (lpString=".ppt") returned 4 [0059.429] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0059.429] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0059.429] lstrlenW (lpString=".zip") returned 4 [0059.429] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0059.429] lstrlenW (lpString=".rar") returned 4 [0059.429] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0059.430] lstrlenW (lpString=".bz2") returned 4 [0059.430] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0059.430] lstrlenW (lpString=".7z") returned 3 [0059.430] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0059.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0059.430] lstrlenW (lpString=".dbf") returned 4 [0059.430] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0059.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0059.430] lstrlenW (lpString=".1cd") returned 4 [0059.430] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0059.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0059.430] lstrlenW (lpString=".jpg") returned 4 [0059.430] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0059.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0059.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0059.430] lstrlenW (lpString=".doc") returned 4 [0059.430] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0059.430] lstrlenW (lpString=".docx") returned 5 [0059.430] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0059.430] lstrlenW (lpString=".pdf") returned 4 [0059.431] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0059.431] lstrlenW (lpString=".xls") returned 4 [0059.431] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0059.431] lstrlenW (lpString=".xlsx") returned 5 [0059.431] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0059.431] lstrlenW (lpString=".ppt") returned 4 [0059.431] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0059.431] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0059.431] lstrlenW (lpString=".zip") returned 4 [0059.431] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0059.431] lstrlenW (lpString=".rar") returned 4 [0059.431] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0059.431] lstrlenW (lpString=".bz2") returned 4 [0059.431] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0059.431] lstrlenW (lpString=".7z") returned 3 [0059.431] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0059.431] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0059.431] lstrlenW (lpString=".dbf") returned 4 [0059.431] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0059.431] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0059.431] lstrlenW (lpString=".1cd") returned 4 [0059.431] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0059.431] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0059.432] lstrlenW (lpString=".jpg") returned 4 [0059.432] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0059.515] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0059.515] lstrlenW (lpString="SETUP.XML") returned 9 [0059.515] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0060.111] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=1452) returned 1 [0060.111] CloseHandle (hObject=0x19c) returned 1 [0060.112] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml")) returned 0x20 [0060.112] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0060.112] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0060.112] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.112] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.112] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0060.113] GetLastError () returned 0x0 [0060.113] ReadFile (in: hFile=0x19c, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x5ac, lpOverlapped=0x0) returned 1 [0060.201] WriteFile (in: hFile=0x1d0, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0060.207] ReadFile (in: hFile=0x19c, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0060.207] WriteFile (in: hFile=0x1d0, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0060.207] SetEndOfFile (hFile=0x1d0) returned 1 [0060.208] CloseHandle (hObject=0x1d0) returned 1 [0060.215] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.216] SetEndOfFile (hFile=0x19c) returned 1 [0060.217] CloseHandle (hObject=0x19c) returned 1 [0060.217] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0060.217] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml")) returned 1 [0060.218] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0060.218] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0060.218] lstrlenW (lpString=".doc") returned 4 [0060.218] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0060.218] lstrlenW (lpString=".docx") returned 5 [0060.218] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0060.218] lstrlenW (lpString=".pdf") returned 4 [0060.218] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0060.220] lstrlenW (lpString=".xls") returned 4 [0060.220] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0060.220] lstrlenW (lpString=".xlsx") returned 5 [0060.246] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0060.264] lstrlenW (lpString=".ppt") returned 4 [0060.269] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0060.278] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0060.290] lstrlenW (lpString=".zip") returned 4 [0060.294] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0060.298] lstrlenW (lpString=".rar") returned 4 [0060.298] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0060.298] lstrlenW (lpString=".bz2") returned 4 [0060.298] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0060.298] lstrlenW (lpString=".7z") returned 3 [0060.298] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0060.298] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0060.298] lstrlenW (lpString=".dbf") returned 4 [0060.299] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0060.299] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0060.299] lstrlenW (lpString=".1cd") returned 4 [0060.299] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0060.299] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0060.299] lstrlenW (lpString=".jpg") returned 4 [0060.299] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0060.299] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0060.299] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0060.299] lstrlenW (lpString=".doc") returned 4 [0060.299] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0060.299] lstrlenW (lpString=".docx") returned 5 [0060.299] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0060.299] lstrlenW (lpString=".pdf") returned 4 [0060.299] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0060.299] lstrlenW (lpString=".xls") returned 4 [0060.299] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0060.299] lstrlenW (lpString=".xlsx") returned 5 [0060.299] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0060.299] lstrlenW (lpString=".ppt") returned 4 [0060.299] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0060.299] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0060.299] lstrlenW (lpString=".zip") returned 4 [0060.299] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0060.300] lstrlenW (lpString=".rar") returned 4 [0060.300] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0060.300] lstrlenW (lpString=".bz2") returned 4 [0060.300] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0060.300] lstrlenW (lpString=".7z") returned 3 [0060.300] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0060.300] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0060.300] lstrlenW (lpString=".dbf") returned 4 [0060.300] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0060.300] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0060.300] lstrlenW (lpString=".1cd") returned 4 [0060.300] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0060.300] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0060.300] lstrlenW (lpString=".jpg") returned 4 [0060.300] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0060.300] lstrcmpiW (lpString1=".CHM", lpString2=".bmd") returned 1 [0060.300] lstrlenW (lpString="OCT.CHM") returned 7 [0060.300] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0061.091] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=71236) returned 1 [0061.091] CloseHandle (hObject=0x204) returned 1 [0061.091] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm")) returned 0x20 [0061.091] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0061.091] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0061.091] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0061.091] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0061.091] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0061.428] GetLastError () returned 0x0 [0061.428] ReadFile (in: hFile=0x204, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x11644, lpOverlapped=0x0) returned 1 [0062.005] WriteFile (in: hFile=0x1e8, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0x11650, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0x11650, lpOverlapped=0x0) returned 1 [0062.008] ReadFile (in: hFile=0x204, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0062.008] WriteFile (in: hFile=0x1e8, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0xe2, lpOverlapped=0x0) returned 1 [0062.008] SetEndOfFile (hFile=0x1e8) returned 1 [0062.008] CloseHandle (hObject=0x1e8) returned 1 [0062.010] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0062.010] SetEndOfFile (hFile=0x204) returned 1 [0062.012] CloseHandle (hObject=0x204) returned 1 [0062.012] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0062.012] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm")) returned 1 [0062.012] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0062.013] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0062.013] lstrlenW (lpString=".doc") returned 4 [0062.013] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0062.013] lstrlenW (lpString=".docx") returned 5 [0062.013] lstrcmpiW (lpString1=".docx", lpString2="T.CHM") returned -1 [0062.013] lstrlenW (lpString=".pdf") returned 4 [0062.013] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0062.013] lstrlenW (lpString=".xls") returned 4 [0062.013] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0062.013] lstrlenW (lpString=".xlsx") returned 5 [0062.013] lstrcmpiW (lpString1=".xlsx", lpString2="T.CHM") returned -1 [0062.013] lstrlenW (lpString=".ppt") returned 4 [0062.013] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0062.013] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0062.013] lstrlenW (lpString=".zip") returned 4 [0062.013] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0062.013] lstrlenW (lpString=".rar") returned 4 [0062.013] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0062.013] lstrlenW (lpString=".bz2") returned 4 [0062.013] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0062.013] lstrlenW (lpString=".7z") returned 3 [0062.013] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0062.013] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0062.013] lstrlenW (lpString=".dbf") returned 4 [0062.013] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0062.013] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0062.013] lstrlenW (lpString=".1cd") returned 4 [0062.013] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0062.014] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0062.014] lstrlenW (lpString=".jpg") returned 4 [0062.014] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0062.014] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0062.014] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0062.014] lstrlenW (lpString=".doc") returned 4 [0062.014] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0062.014] lstrlenW (lpString=".docx") returned 5 [0062.014] lstrcmpiW (lpString1=".docx", lpString2="T.CHM") returned -1 [0062.014] lstrlenW (lpString=".pdf") returned 4 [0062.014] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0062.014] lstrlenW (lpString=".xls") returned 4 [0062.014] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0062.014] lstrlenW (lpString=".xlsx") returned 5 [0062.014] lstrcmpiW (lpString1=".xlsx", lpString2="T.CHM") returned -1 [0062.014] lstrlenW (lpString=".ppt") returned 4 [0062.014] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0062.014] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0062.014] lstrlenW (lpString=".zip") returned 4 [0062.014] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0062.014] lstrlenW (lpString=".rar") returned 4 [0062.014] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0062.014] lstrlenW (lpString=".bz2") returned 4 [0062.014] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0062.015] lstrlenW (lpString=".7z") returned 3 [0062.015] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0062.015] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0062.015] lstrlenW (lpString=".dbf") returned 4 [0062.015] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0062.015] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0062.015] lstrlenW (lpString=".1cd") returned 4 [0062.015] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0062.015] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0062.015] lstrlenW (lpString=".jpg") returned 4 [0062.015] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0062.124] lstrcmpiW (lpString1=".CHM", lpString2=".bmd") returned 1 [0062.124] lstrlenW (lpString="PSS10R.CHM") returned 10 [0062.125] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0062.148] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=27195) returned 1 [0062.148] CloseHandle (hObject=0x198) returned 1 [0062.149] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm")) returned 0x20 [0062.149] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0062.149] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0062.149] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0062.149] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0062.149] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0062.150] GetLastError () returned 0x0 [0062.150] ReadFile (in: hFile=0x198, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x6a3b, lpOverlapped=0x0) returned 1 [0062.168] WriteFile (in: hFile=0x1ac, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0x6a40, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0x6a40, lpOverlapped=0x0) returned 1 [0062.169] ReadFile (in: hFile=0x198, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0062.169] WriteFile (in: hFile=0x1ac, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0xe8, lpOverlapped=0x0) returned 1 [0062.169] SetEndOfFile (hFile=0x1ac) returned 1 [0062.170] CloseHandle (hObject=0x1ac) returned 1 [0062.172] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0062.172] SetEndOfFile (hFile=0x198) returned 1 [0062.174] CloseHandle (hObject=0x198) returned 1 [0062.174] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0062.174] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm")) returned 1 [0062.174] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0062.174] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0062.174] lstrlenW (lpString=".doc") returned 4 [0062.175] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0062.175] lstrlenW (lpString=".docx") returned 5 [0062.175] lstrcmpiW (lpString1=".docx", lpString2="R.CHM") returned -1 [0062.175] lstrlenW (lpString=".pdf") returned 4 [0062.175] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0062.175] lstrlenW (lpString=".xls") returned 4 [0062.175] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0062.175] lstrlenW (lpString=".xlsx") returned 5 [0062.175] lstrcmpiW (lpString1=".xlsx", lpString2="R.CHM") returned -1 [0062.175] lstrlenW (lpString=".ppt") returned 4 [0062.175] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0062.175] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0062.175] lstrlenW (lpString=".zip") returned 4 [0062.175] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0062.175] lstrlenW (lpString=".rar") returned 4 [0062.175] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0062.175] lstrlenW (lpString=".bz2") returned 4 [0062.175] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0062.175] lstrlenW (lpString=".7z") returned 3 [0062.175] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0062.175] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0062.176] lstrlenW (lpString=".dbf") returned 4 [0062.176] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0062.176] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0062.176] lstrlenW (lpString=".1cd") returned 4 [0062.176] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0062.176] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0062.176] lstrlenW (lpString=".jpg") returned 4 [0062.176] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0062.176] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0062.176] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0062.176] lstrlenW (lpString=".doc") returned 4 [0062.176] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0062.176] lstrlenW (lpString=".docx") returned 5 [0062.176] lstrcmpiW (lpString1=".docx", lpString2="R.CHM") returned -1 [0062.176] lstrlenW (lpString=".pdf") returned 4 [0062.176] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0062.176] lstrlenW (lpString=".xls") returned 4 [0062.176] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0062.176] lstrlenW (lpString=".xlsx") returned 5 [0062.176] lstrcmpiW (lpString1=".xlsx", lpString2="R.CHM") returned -1 [0062.176] lstrlenW (lpString=".ppt") returned 4 [0062.176] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0062.176] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0062.176] lstrlenW (lpString=".zip") returned 4 [0062.176] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0062.176] lstrlenW (lpString=".rar") returned 4 [0062.177] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0062.177] lstrlenW (lpString=".bz2") returned 4 [0062.177] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0062.177] lstrlenW (lpString=".7z") returned 3 [0062.177] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0062.177] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0062.177] lstrlenW (lpString=".dbf") returned 4 [0062.177] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0062.177] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0062.177] lstrlenW (lpString=".1cd") returned 4 [0062.177] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0062.177] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0062.177] lstrlenW (lpString=".jpg") returned 4 [0062.177] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0062.177] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0062.177] lstrlenW (lpString="OneNoteMUI.XML") returned 14 [0062.177] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0062.178] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=1606) returned 1 [0062.178] CloseHandle (hObject=0x198) returned 1 [0062.178] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml")) returned 0x20 [0062.178] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0062.178] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0062.178] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0062.178] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0062.178] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0062.317] GetLastError () returned 0x0 [0062.318] ReadFile (in: hFile=0x198, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x646, lpOverlapped=0x0) returned 1 [0062.343] WriteFile (in: hFile=0x214, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0x650, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0x650, lpOverlapped=0x0) returned 1 [0062.344] ReadFile (in: hFile=0x198, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0062.344] WriteFile (in: hFile=0x214, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0xf0, lpOverlapped=0x0) returned 1 [0062.344] SetEndOfFile (hFile=0x214) returned 1 [0062.344] CloseHandle (hObject=0x214) returned 1 [0062.345] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0062.345] SetEndOfFile (hFile=0x198) returned 1 [0062.346] CloseHandle (hObject=0x198) returned 1 [0062.346] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0062.347] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml")) returned 1 [0062.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0062.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0062.347] lstrlenW (lpString=".doc") returned 4 [0062.347] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0062.347] lstrlenW (lpString=".docx") returned 5 [0062.347] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0062.347] lstrlenW (lpString=".pdf") returned 4 [0062.347] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0062.347] lstrlenW (lpString=".xls") returned 4 [0062.347] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0062.347] lstrlenW (lpString=".xlsx") returned 5 [0062.347] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0062.347] lstrlenW (lpString=".ppt") returned 4 [0062.347] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0062.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0062.347] lstrlenW (lpString=".zip") returned 4 [0062.347] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0062.348] lstrlenW (lpString=".rar") returned 4 [0062.348] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0062.348] lstrlenW (lpString=".bz2") returned 4 [0062.348] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0062.348] lstrlenW (lpString=".7z") returned 3 [0062.348] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0062.348] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0062.348] lstrlenW (lpString=".dbf") returned 4 [0062.348] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0062.348] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0062.348] lstrlenW (lpString=".1cd") returned 4 [0062.348] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0062.348] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0062.348] lstrlenW (lpString=".jpg") returned 4 [0062.348] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0062.348] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0062.348] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0062.348] lstrlenW (lpString=".doc") returned 4 [0062.348] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0062.348] lstrlenW (lpString=".docx") returned 5 [0062.348] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0062.348] lstrlenW (lpString=".pdf") returned 4 [0062.348] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0062.348] lstrlenW (lpString=".xls") returned 4 [0062.348] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0062.348] lstrlenW (lpString=".xlsx") returned 5 [0062.348] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0062.348] lstrlenW (lpString=".ppt") returned 4 [0062.348] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0062.348] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0062.348] lstrlenW (lpString=".zip") returned 4 [0062.348] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0062.349] lstrlenW (lpString=".rar") returned 4 [0062.349] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0062.349] lstrlenW (lpString=".bz2") returned 4 [0062.349] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0062.349] lstrlenW (lpString=".7z") returned 3 [0062.349] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0062.349] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0062.349] lstrlenW (lpString=".dbf") returned 4 [0062.349] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0062.349] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0062.349] lstrlenW (lpString=".1cd") returned 4 [0062.349] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0062.349] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0062.349] lstrlenW (lpString=".jpg") returned 4 [0062.349] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0062.349] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0062.349] lstrlenW (lpString="SETUP.XML") returned 9 [0062.349] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0062.443] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=1886) returned 1 [0062.443] CloseHandle (hObject=0x19c) returned 1 [0062.444] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml")) returned 0x20 [0062.444] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0062.444] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0062.444] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0062.444] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0062.444] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0062.444] GetLastError () returned 0x0 [0062.444] ReadFile (in: hFile=0x19c, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x75e, lpOverlapped=0x0) returned 1 [0062.450] WriteFile (in: hFile=0x210, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0x760, lpOverlapped=0x0) returned 1 [0062.451] ReadFile (in: hFile=0x19c, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0062.451] WriteFile (in: hFile=0x210, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0062.451] SetEndOfFile (hFile=0x210) returned 1 [0062.452] CloseHandle (hObject=0x210) returned 1 [0062.453] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0062.453] SetEndOfFile (hFile=0x19c) returned 1 [0062.454] CloseHandle (hObject=0x19c) returned 1 [0062.454] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0062.454] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml")) returned 1 [0062.455] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0062.455] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0062.455] lstrlenW (lpString=".doc") returned 4 [0062.455] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0062.455] lstrlenW (lpString=".docx") returned 5 [0062.455] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0062.455] lstrlenW (lpString=".pdf") returned 4 [0062.455] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0062.455] lstrlenW (lpString=".xls") returned 4 [0062.455] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0062.455] lstrlenW (lpString=".xlsx") returned 5 [0062.455] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0062.455] lstrlenW (lpString=".ppt") returned 4 [0062.455] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0062.455] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0062.455] lstrlenW (lpString=".zip") returned 4 [0062.455] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0062.455] lstrlenW (lpString=".rar") returned 4 [0062.455] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0062.455] lstrlenW (lpString=".bz2") returned 4 [0062.455] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0062.455] lstrlenW (lpString=".7z") returned 3 [0062.455] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0062.455] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0062.456] lstrlenW (lpString=".dbf") returned 4 [0062.456] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0062.456] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0062.456] lstrlenW (lpString=".1cd") returned 4 [0062.456] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0062.456] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0062.456] lstrlenW (lpString=".jpg") returned 4 [0062.456] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0062.456] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0062.456] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0062.456] lstrlenW (lpString=".doc") returned 4 [0062.456] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0062.456] lstrlenW (lpString=".docx") returned 5 [0062.456] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0062.456] lstrlenW (lpString=".pdf") returned 4 [0062.456] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0062.456] lstrlenW (lpString=".xls") returned 4 [0062.456] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0062.456] lstrlenW (lpString=".xlsx") returned 5 [0062.456] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0062.456] lstrlenW (lpString=".ppt") returned 4 [0062.456] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0062.457] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0062.457] lstrlenW (lpString=".zip") returned 4 [0062.457] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0062.457] lstrlenW (lpString=".rar") returned 4 [0062.457] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0062.457] lstrlenW (lpString=".bz2") returned 4 [0062.457] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0062.457] lstrlenW (lpString=".7z") returned 3 [0062.457] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0062.457] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0062.457] lstrlenW (lpString=".dbf") returned 4 [0062.457] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0062.457] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0062.457] lstrlenW (lpString=".1cd") returned 4 [0062.457] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0062.457] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0062.457] lstrlenW (lpString=".jpg") returned 4 [0062.457] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0062.457] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0062.457] lstrlenW (lpString="SETUP.XML") returned 9 [0062.458] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0062.458] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=1872) returned 1 [0062.458] CloseHandle (hObject=0x19c) returned 1 [0062.458] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml")) returned 0x20 [0062.458] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0062.459] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0062.459] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0062.459] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0062.459] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0062.459] GetLastError () returned 0x0 [0062.459] ReadFile (in: hFile=0x19c, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x750, lpOverlapped=0x0) returned 1 [0062.462] WriteFile (in: hFile=0x210, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0x760, lpOverlapped=0x0) returned 1 [0062.464] ReadFile (in: hFile=0x19c, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0062.464] WriteFile (in: hFile=0x210, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0062.464] SetEndOfFile (hFile=0x210) returned 1 [0062.464] CloseHandle (hObject=0x210) returned 1 [0062.465] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0062.465] SetEndOfFile (hFile=0x19c) returned 1 [0062.467] CloseHandle (hObject=0x19c) returned 1 [0062.467] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0062.467] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml")) returned 1 [0062.467] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0062.467] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0062.467] lstrlenW (lpString=".doc") returned 4 [0062.467] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0062.467] lstrlenW (lpString=".docx") returned 5 [0062.467] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0062.467] lstrlenW (lpString=".pdf") returned 4 [0062.467] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0062.467] lstrlenW (lpString=".xls") returned 4 [0062.467] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0062.468] lstrlenW (lpString=".xlsx") returned 5 [0062.468] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0062.468] lstrlenW (lpString=".ppt") returned 4 [0062.468] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0062.468] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0062.468] lstrlenW (lpString=".zip") returned 4 [0062.468] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0062.468] lstrlenW (lpString=".rar") returned 4 [0062.468] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0062.468] lstrlenW (lpString=".bz2") returned 4 [0062.468] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0062.468] lstrlenW (lpString=".7z") returned 3 [0062.468] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0062.468] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0062.468] lstrlenW (lpString=".dbf") returned 4 [0062.468] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0062.468] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0062.468] lstrlenW (lpString=".1cd") returned 4 [0062.468] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0062.468] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0062.468] lstrlenW (lpString=".jpg") returned 4 [0062.468] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0062.468] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0062.468] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0062.468] lstrlenW (lpString=".doc") returned 4 [0062.468] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0062.468] lstrlenW (lpString=".docx") returned 5 [0062.468] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0062.468] lstrlenW (lpString=".pdf") returned 4 [0062.469] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0062.469] lstrlenW (lpString=".xls") returned 4 [0062.469] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0062.469] lstrlenW (lpString=".xlsx") returned 5 [0062.469] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0062.469] lstrlenW (lpString=".ppt") returned 4 [0062.469] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0062.469] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0062.469] lstrlenW (lpString=".zip") returned 4 [0062.469] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0062.469] lstrlenW (lpString=".rar") returned 4 [0062.469] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0062.469] lstrlenW (lpString=".bz2") returned 4 [0062.469] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0062.469] lstrlenW (lpString=".7z") returned 3 [0062.469] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0062.469] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0062.469] lstrlenW (lpString=".dbf") returned 4 [0062.469] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0062.469] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0062.469] lstrlenW (lpString=".1cd") returned 4 [0062.469] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0062.469] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0062.469] lstrlenW (lpString=".jpg") returned 4 [0062.469] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0062.469] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0062.469] lstrlenW (lpString="Proof.XML") returned 9 [0062.470] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0062.470] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=1347) returned 1 [0062.470] CloseHandle (hObject=0x19c) returned 1 [0062.470] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml")) returned 0x20 [0062.470] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0062.470] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0062.471] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0062.471] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0062.471] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0062.471] GetLastError () returned 0x0 [0062.471] ReadFile (in: hFile=0x19c, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x543, lpOverlapped=0x0) returned 1 [0062.931] WriteFile (in: hFile=0x210, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0x550, lpOverlapped=0x0) returned 1 [0063.979] ReadFile (in: hFile=0x19c, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0063.979] WriteFile (in: hFile=0x210, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0063.979] SetEndOfFile (hFile=0x210) returned 1 [0063.979] CloseHandle (hObject=0x210) returned 1 [0063.980] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0063.980] SetEndOfFile (hFile=0x19c) returned 1 [0064.363] CloseHandle (hObject=0x19c) returned 1 [0064.363] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0064.364] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml")) returned 1 [0064.364] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0064.364] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0064.364] lstrlenW (lpString=".doc") returned 4 [0064.364] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0064.365] lstrlenW (lpString=".docx") returned 5 [0064.365] lstrcmpiW (lpString1=".docx", lpString2="f.XML") returned -1 [0064.365] lstrlenW (lpString=".pdf") returned 4 [0064.365] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0064.365] lstrlenW (lpString=".xls") returned 4 [0064.365] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0064.365] lstrlenW (lpString=".xlsx") returned 5 [0064.365] lstrcmpiW (lpString1=".xlsx", lpString2="f.XML") returned -1 [0064.365] lstrlenW (lpString=".ppt") returned 4 [0064.365] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0064.365] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0064.365] lstrlenW (lpString=".zip") returned 4 [0064.365] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0064.365] lstrlenW (lpString=".rar") returned 4 [0064.365] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0064.365] lstrlenW (lpString=".bz2") returned 4 [0064.365] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0064.365] lstrlenW (lpString=".7z") returned 3 [0064.365] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0064.365] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0064.365] lstrlenW (lpString=".dbf") returned 4 [0064.365] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0064.365] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0064.365] lstrlenW (lpString=".1cd") returned 4 [0064.365] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0064.365] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0064.365] lstrlenW (lpString=".jpg") returned 4 [0064.365] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0064.366] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0064.366] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0064.366] lstrlenW (lpString=".doc") returned 4 [0064.366] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0064.366] lstrlenW (lpString=".docx") returned 5 [0064.366] lstrcmpiW (lpString1=".docx", lpString2="f.XML") returned -1 [0064.366] lstrlenW (lpString=".pdf") returned 4 [0064.366] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0064.366] lstrlenW (lpString=".xls") returned 4 [0064.366] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0064.366] lstrlenW (lpString=".xlsx") returned 5 [0064.366] lstrcmpiW (lpString1=".xlsx", lpString2="f.XML") returned -1 [0064.366] lstrlenW (lpString=".ppt") returned 4 [0064.366] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0064.366] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0064.366] lstrlenW (lpString=".zip") returned 4 [0064.366] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0064.366] lstrlenW (lpString=".rar") returned 4 [0064.366] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0064.366] lstrlenW (lpString=".bz2") returned 4 [0064.366] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0064.366] lstrlenW (lpString=".7z") returned 3 [0064.366] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0064.366] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0064.366] lstrlenW (lpString=".dbf") returned 4 [0064.366] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0064.366] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0064.366] lstrlenW (lpString=".1cd") returned 4 [0064.366] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0064.367] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0064.367] lstrlenW (lpString=".jpg") returned 4 [0064.367] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0064.367] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0064.367] lstrlenW (lpString="SETUP.XML") returned 9 [0064.367] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0064.394] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=20577) returned 1 [0064.394] CloseHandle (hObject=0x188) returned 1 [0064.394] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml")) returned 0x20 [0064.394] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0064.394] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0064.394] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0064.394] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0064.394] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0064.395] GetLastError () returned 0x0 [0064.395] ReadFile (in: hFile=0x188, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x5061, lpOverlapped=0x0) returned 1 [0064.475] WriteFile (in: hFile=0x19c, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0x5070, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0x5070, lpOverlapped=0x0) returned 1 [0064.498] ReadFile (in: hFile=0x188, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0064.498] WriteFile (in: hFile=0x19c, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0064.498] SetEndOfFile (hFile=0x19c) returned 1 [0064.542] CloseHandle (hObject=0x19c) returned 1 [0064.542] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0064.542] SetEndOfFile (hFile=0x188) returned 1 [0064.543] CloseHandle (hObject=0x188) returned 1 [0064.543] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0064.544] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml")) returned 1 [0064.544] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0064.544] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0064.544] lstrlenW (lpString=".doc") returned 4 [0064.544] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0064.544] lstrlenW (lpString=".docx") returned 5 [0064.544] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0064.544] lstrlenW (lpString=".pdf") returned 4 [0064.544] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0064.544] lstrlenW (lpString=".xls") returned 4 [0064.544] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0064.544] lstrlenW (lpString=".xlsx") returned 5 [0064.544] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0064.544] lstrlenW (lpString=".ppt") returned 4 [0064.544] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0064.545] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0064.545] lstrlenW (lpString=".zip") returned 4 [0064.545] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0064.545] lstrlenW (lpString=".rar") returned 4 [0064.545] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0064.545] lstrlenW (lpString=".bz2") returned 4 [0064.545] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0064.545] lstrlenW (lpString=".7z") returned 3 [0064.545] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0064.545] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0064.545] lstrlenW (lpString=".dbf") returned 4 [0064.545] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0064.545] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0064.545] lstrlenW (lpString=".1cd") returned 4 [0064.545] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0064.545] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0064.545] lstrlenW (lpString=".jpg") returned 4 [0064.545] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0064.545] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0064.545] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0064.545] lstrlenW (lpString=".doc") returned 4 [0064.545] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0064.545] lstrlenW (lpString=".docx") returned 5 [0064.545] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0064.545] lstrlenW (lpString=".pdf") returned 4 [0064.545] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0064.546] lstrlenW (lpString=".xls") returned 4 [0064.546] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0064.546] lstrlenW (lpString=".xlsx") returned 5 [0064.546] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0064.546] lstrlenW (lpString=".ppt") returned 4 [0064.546] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0064.546] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0064.546] lstrlenW (lpString=".zip") returned 4 [0064.546] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0064.546] lstrlenW (lpString=".rar") returned 4 [0064.546] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0064.546] lstrlenW (lpString=".bz2") returned 4 [0064.546] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0064.546] lstrlenW (lpString=".7z") returned 3 [0064.546] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0064.546] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0064.546] lstrlenW (lpString=".dbf") returned 4 [0064.546] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0064.546] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0064.546] lstrlenW (lpString=".1cd") returned 4 [0064.546] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0064.546] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0064.546] lstrlenW (lpString=".jpg") returned 4 [0064.546] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0064.547] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0064.547] lstrlenW (lpString="SETUP.XML") returned 9 [0064.547] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0064.548] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=2424) returned 1 [0064.548] CloseHandle (hObject=0x188) returned 1 [0064.548] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml")) returned 0x20 [0064.548] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0064.548] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0064.549] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0064.549] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0064.549] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0064.549] GetLastError () returned 0x0 [0064.549] ReadFile (in: hFile=0x188, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x978, lpOverlapped=0x0) returned 1 [0064.585] WriteFile (in: hFile=0x19c, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0x980, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0x980, lpOverlapped=0x0) returned 1 [0064.586] ReadFile (in: hFile=0x188, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0064.586] WriteFile (in: hFile=0x19c, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0064.586] SetEndOfFile (hFile=0x19c) returned 1 [0065.095] CloseHandle (hObject=0x19c) returned 1 [0065.095] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0065.095] SetEndOfFile (hFile=0x188) returned 1 [0065.278] CloseHandle (hObject=0x188) returned 1 [0065.278] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0065.278] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml")) returned 1 [0065.279] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0065.279] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0065.279] lstrlenW (lpString=".doc") returned 4 [0065.279] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0065.279] lstrlenW (lpString=".docx") returned 5 [0065.279] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0065.279] lstrlenW (lpString=".pdf") returned 4 [0065.279] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0065.279] lstrlenW (lpString=".xls") returned 4 [0065.279] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0065.279] lstrlenW (lpString=".xlsx") returned 5 [0065.279] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0065.279] lstrlenW (lpString=".ppt") returned 4 [0065.279] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0065.280] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0065.280] lstrlenW (lpString=".zip") returned 4 [0065.280] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0065.280] lstrlenW (lpString=".rar") returned 4 [0065.280] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0065.280] lstrlenW (lpString=".bz2") returned 4 [0065.280] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0065.280] lstrlenW (lpString=".7z") returned 3 [0065.280] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0065.280] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0065.280] lstrlenW (lpString=".dbf") returned 4 [0065.280] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0065.280] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0065.280] lstrlenW (lpString=".1cd") returned 4 [0065.281] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0065.281] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0065.281] lstrlenW (lpString=".jpg") returned 4 [0065.281] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0065.281] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0065.281] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0065.281] lstrlenW (lpString=".doc") returned 4 [0065.281] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0065.281] lstrlenW (lpString=".docx") returned 5 [0065.281] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0065.281] lstrlenW (lpString=".pdf") returned 4 [0065.281] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0065.281] lstrlenW (lpString=".xls") returned 4 [0065.281] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0065.281] lstrlenW (lpString=".xlsx") returned 5 [0065.281] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0065.281] lstrlenW (lpString=".ppt") returned 4 [0065.281] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0065.281] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0065.281] lstrlenW (lpString=".zip") returned 4 [0065.281] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0065.282] lstrlenW (lpString=".rar") returned 4 [0065.282] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0065.282] lstrlenW (lpString=".bz2") returned 4 [0065.282] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0065.282] lstrlenW (lpString=".7z") returned 3 [0065.282] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0065.282] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0065.282] lstrlenW (lpString=".dbf") returned 4 [0065.282] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0065.282] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0065.282] lstrlenW (lpString=".1cd") returned 4 [0065.282] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0065.282] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0065.282] lstrlenW (lpString=".jpg") returned 4 [0065.282] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0065.282] lstrcmpiW (lpString1=".DAT", lpString2=".bmd") returned 1 [0065.282] lstrlenW (lpString="STOCKS.DAT") returned 10 [0065.282] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0066.830] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=39017) returned 1 [0066.843] CloseHandle (hObject=0x19c) returned 1 [0066.843] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat")) returned 0x20 [0066.843] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0066.843] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0066.843] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0066.856] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0066.856] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0066.856] GetLastError () returned 0x0 [0066.856] ReadFile (in: hFile=0x19c, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x9869, lpOverlapped=0x0) returned 1 [0066.915] WriteFile (in: hFile=0x198, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0x9870, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0x9870, lpOverlapped=0x0) returned 1 [0066.918] ReadFile (in: hFile=0x19c, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0066.918] WriteFile (in: hFile=0x198, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0xe8, lpOverlapped=0x0) returned 1 [0066.918] SetEndOfFile (hFile=0x198) returned 1 [0066.918] CloseHandle (hObject=0x198) returned 1 [0066.919] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0066.919] SetEndOfFile (hFile=0x19c) returned 1 [0066.920] CloseHandle (hObject=0x19c) returned 1 [0066.920] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0066.921] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat")) returned 1 [0066.921] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0066.921] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0066.921] lstrlenW (lpString=".doc") returned 4 [0066.921] lstrcmpiW (lpString1=".doc", lpString2=".DAT") returned 1 [0066.921] lstrlenW (lpString=".docx") returned 5 [0066.921] lstrcmpiW (lpString1=".docx", lpString2="S.DAT") returned -1 [0066.921] lstrlenW (lpString=".pdf") returned 4 [0066.921] lstrcmpiW (lpString1=".pdf", lpString2=".DAT") returned 1 [0066.922] lstrlenW (lpString=".xls") returned 4 [0066.922] lstrcmpiW (lpString1=".xls", lpString2=".DAT") returned 1 [0066.922] lstrlenW (lpString=".xlsx") returned 5 [0066.922] lstrcmpiW (lpString1=".xlsx", lpString2="S.DAT") returned -1 [0066.922] lstrlenW (lpString=".ppt") returned 4 [0066.922] lstrcmpiW (lpString1=".ppt", lpString2=".DAT") returned 1 [0066.922] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0066.922] lstrlenW (lpString=".zip") returned 4 [0066.922] lstrcmpiW (lpString1=".zip", lpString2=".DAT") returned 1 [0066.922] lstrlenW (lpString=".rar") returned 4 [0066.922] lstrcmpiW (lpString1=".rar", lpString2=".DAT") returned 1 [0066.922] lstrlenW (lpString=".bz2") returned 4 [0066.922] lstrcmpiW (lpString1=".bz2", lpString2=".DAT") returned -1 [0066.922] lstrlenW (lpString=".7z") returned 3 [0066.922] lstrcmpiW (lpString1=".7z", lpString2="DAT") returned -1 [0066.922] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0066.922] lstrlenW (lpString=".dbf") returned 4 [0066.922] lstrcmpiW (lpString1=".dbf", lpString2=".DAT") returned 1 [0066.922] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0066.922] lstrlenW (lpString=".1cd") returned 4 [0066.922] lstrcmpiW (lpString1=".1cd", lpString2=".DAT") returned -1 [0066.922] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0066.922] lstrlenW (lpString=".jpg") returned 4 [0066.923] lstrcmpiW (lpString1=".jpg", lpString2=".DAT") returned 1 [0066.923] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0066.923] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0066.923] lstrlenW (lpString=".doc") returned 4 [0066.923] lstrcmpiW (lpString1=".doc", lpString2=".DAT") returned 1 [0066.923] lstrlenW (lpString=".docx") returned 5 [0066.923] lstrcmpiW (lpString1=".docx", lpString2="S.DAT") returned -1 [0066.923] lstrlenW (lpString=".pdf") returned 4 [0066.923] lstrcmpiW (lpString1=".pdf", lpString2=".DAT") returned 1 [0066.923] lstrlenW (lpString=".xls") returned 4 [0066.923] lstrcmpiW (lpString1=".xls", lpString2=".DAT") returned 1 [0066.923] lstrlenW (lpString=".xlsx") returned 5 [0066.923] lstrcmpiW (lpString1=".xlsx", lpString2="S.DAT") returned -1 [0066.923] lstrlenW (lpString=".ppt") returned 4 [0066.923] lstrcmpiW (lpString1=".ppt", lpString2=".DAT") returned 1 [0066.923] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0066.923] lstrlenW (lpString=".zip") returned 4 [0066.923] lstrcmpiW (lpString1=".zip", lpString2=".DAT") returned 1 [0066.923] lstrlenW (lpString=".rar") returned 4 [0066.923] lstrcmpiW (lpString1=".rar", lpString2=".DAT") returned 1 [0066.923] lstrlenW (lpString=".bz2") returned 4 [0066.923] lstrcmpiW (lpString1=".bz2", lpString2=".DAT") returned -1 [0066.923] lstrlenW (lpString=".7z") returned 3 [0066.923] lstrcmpiW (lpString1=".7z", lpString2="DAT") returned -1 [0066.923] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0066.924] lstrlenW (lpString=".dbf") returned 4 [0066.924] lstrcmpiW (lpString1=".dbf", lpString2=".DAT") returned 1 [0066.924] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0066.924] lstrlenW (lpString=".1cd") returned 4 [0066.924] lstrcmpiW (lpString1=".1cd", lpString2=".DAT") returned -1 [0066.924] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0066.924] lstrlenW (lpString=".jpg") returned 4 [0066.924] lstrcmpiW (lpString1=".jpg", lpString2=".DAT") returned 1 [0066.924] lstrcmpiW (lpString1=".TXT", lpString2=".bmd") returned 1 [0066.924] lstrlenW (lpString="METCONV.TXT") returned 11 [0066.924] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0066.927] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=1183416) returned 1 [0066.927] CloseHandle (hObject=0x19c) returned 1 [0066.927] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt")) returned 0x20 [0066.927] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0066.927] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0066.928] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0066.928] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0066.928] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0066.928] GetLastError () returned 0x0 [0066.928] ReadFile (in: hFile=0x19c, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0xffff0, lpOverlapped=0x0) returned 1 [0066.963] WriteFile (in: hFile=0x198, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0067.106] ReadFile (in: hFile=0x19c, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x20ec8, lpOverlapped=0x0) returned 1 [0067.117] WriteFile (in: hFile=0x198, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0x20ed0, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0x20ed0, lpOverlapped=0x0) returned 1 [0067.169] ReadFile (in: hFile=0x19c, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0067.169] WriteFile (in: hFile=0x198, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0xea, lpOverlapped=0x0) returned 1 [0067.170] SetEndOfFile (hFile=0x198) returned 1 [0067.170] CloseHandle (hObject=0x198) returned 1 [0067.170] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0067.170] SetEndOfFile (hFile=0x19c) returned 1 [0067.172] CloseHandle (hObject=0x19c) returned 1 [0067.172] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0067.172] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt")) returned 1 [0067.173] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0067.173] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0067.173] lstrlenW (lpString=".doc") returned 4 [0067.173] lstrcmpiW (lpString1=".doc", lpString2=".TXT") returned -1 [0067.173] lstrlenW (lpString=".docx") returned 5 [0067.173] lstrcmpiW (lpString1=".docx", lpString2="V.TXT") returned -1 [0067.173] lstrlenW (lpString=".pdf") returned 4 [0067.173] lstrcmpiW (lpString1=".pdf", lpString2=".TXT") returned -1 [0067.173] lstrlenW (lpString=".xls") returned 4 [0067.173] lstrcmpiW (lpString1=".xls", lpString2=".TXT") returned 1 [0067.173] lstrlenW (lpString=".xlsx") returned 5 [0067.173] lstrcmpiW (lpString1=".xlsx", lpString2="V.TXT") returned -1 [0067.173] lstrlenW (lpString=".ppt") returned 4 [0067.173] lstrcmpiW (lpString1=".ppt", lpString2=".TXT") returned -1 [0067.173] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0067.173] lstrlenW (lpString=".zip") returned 4 [0067.173] lstrcmpiW (lpString1=".zip", lpString2=".TXT") returned 1 [0067.173] lstrlenW (lpString=".rar") returned 4 [0067.173] lstrcmpiW (lpString1=".rar", lpString2=".TXT") returned -1 [0067.173] lstrlenW (lpString=".bz2") returned 4 [0067.173] lstrcmpiW (lpString1=".bz2", lpString2=".TXT") returned -1 [0067.173] lstrlenW (lpString=".7z") returned 3 [0067.173] lstrcmpiW (lpString1=".7z", lpString2="TXT") returned -1 [0067.174] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0067.174] lstrlenW (lpString=".dbf") returned 4 [0067.174] lstrcmpiW (lpString1=".dbf", lpString2=".TXT") returned -1 [0067.174] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0067.174] lstrlenW (lpString=".1cd") returned 4 [0067.174] lstrcmpiW (lpString1=".1cd", lpString2=".TXT") returned -1 [0067.174] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0067.174] lstrlenW (lpString=".jpg") returned 4 [0067.174] lstrcmpiW (lpString1=".jpg", lpString2=".TXT") returned -1 [0067.174] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0067.174] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0067.174] lstrlenW (lpString=".doc") returned 4 [0067.174] lstrcmpiW (lpString1=".doc", lpString2=".TXT") returned -1 [0067.174] lstrlenW (lpString=".docx") returned 5 [0067.174] lstrcmpiW (lpString1=".docx", lpString2="V.TXT") returned -1 [0067.174] lstrlenW (lpString=".pdf") returned 4 [0067.174] lstrcmpiW (lpString1=".pdf", lpString2=".TXT") returned -1 [0067.174] lstrlenW (lpString=".xls") returned 4 [0067.174] lstrcmpiW (lpString1=".xls", lpString2=".TXT") returned 1 [0067.174] lstrlenW (lpString=".xlsx") returned 5 [0067.174] lstrcmpiW (lpString1=".xlsx", lpString2="V.TXT") returned -1 [0067.174] lstrlenW (lpString=".ppt") returned 4 [0067.174] lstrcmpiW (lpString1=".ppt", lpString2=".TXT") returned -1 [0067.174] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0067.175] lstrlenW (lpString=".zip") returned 4 [0067.175] lstrcmpiW (lpString1=".zip", lpString2=".TXT") returned 1 [0067.175] lstrlenW (lpString=".rar") returned 4 [0067.175] lstrcmpiW (lpString1=".rar", lpString2=".TXT") returned -1 [0067.175] lstrlenW (lpString=".bz2") returned 4 [0067.175] lstrcmpiW (lpString1=".bz2", lpString2=".TXT") returned -1 [0067.175] lstrlenW (lpString=".7z") returned 3 [0067.175] lstrcmpiW (lpString1=".7z", lpString2="TXT") returned -1 [0067.175] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0067.175] lstrlenW (lpString=".dbf") returned 4 [0067.175] lstrcmpiW (lpString1=".dbf", lpString2=".TXT") returned -1 [0067.175] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0067.175] lstrlenW (lpString=".1cd") returned 4 [0067.175] lstrcmpiW (lpString1=".1cd", lpString2=".TXT") returned -1 [0067.175] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0067.175] lstrlenW (lpString=".jpg") returned 4 [0067.175] lstrcmpiW (lpString1=".jpg", lpString2=".TXT") returned -1 [0067.175] lstrcmpiW (lpString1=".jpg", lpString2=".bmd") returned 1 [0067.175] lstrlenW (lpString="Monet.jpg") returned 9 [0067.175] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\monet.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0068.106] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=2209) returned 1 [0068.106] CloseHandle (hObject=0x214) returned 1 [0068.106] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\monet.jpg")) returned 0x20 [0068.106] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\monet.jpg.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0068.106] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\monet.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0068.106] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg") returned 67 [0068.106] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg") returned 67 [0068.106] lstrlenW (lpString=".doc") returned 4 [0068.106] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0068.106] lstrlenW (lpString=".docx") returned 5 [0068.106] lstrcmpiW (lpString1=".docx", lpString2="t.jpg") returned -1 [0068.107] lstrlenW (lpString=".pdf") returned 4 [0068.107] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0068.107] lstrlenW (lpString=".xls") returned 4 [0068.107] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0068.107] lstrlenW (lpString=".xlsx") returned 5 [0068.107] lstrcmpiW (lpString1=".xlsx", lpString2="t.jpg") returned -1 [0068.107] lstrlenW (lpString=".ppt") returned 4 [0068.107] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0068.107] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg") returned 67 [0068.107] lstrlenW (lpString=".zip") returned 4 [0068.107] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0068.107] lstrlenW (lpString=".rar") returned 4 [0068.107] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0068.107] lstrlenW (lpString=".bz2") returned 4 [0068.107] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0068.107] lstrlenW (lpString=".7z") returned 3 [0068.107] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0068.107] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg") returned 67 [0068.108] lstrlenW (lpString=".dbf") returned 4 [0068.108] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0068.108] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg") returned 67 [0068.108] lstrlenW (lpString=".1cd") returned 4 [0068.108] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0068.108] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg") returned 67 [0068.108] lstrlenW (lpString=".jpg") returned 4 [0068.108] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0068.108] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg") returned 67 [0068.108] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg") returned 67 [0068.108] lstrlenW (lpString=".doc") returned 4 [0068.108] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0068.108] lstrlenW (lpString=".docx") returned 5 [0068.108] lstrcmpiW (lpString1=".docx", lpString2="t.jpg") returned -1 [0068.108] lstrlenW (lpString=".pdf") returned 4 [0068.109] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0068.109] lstrlenW (lpString=".xls") returned 4 [0068.109] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0068.109] lstrlenW (lpString=".xlsx") returned 5 [0068.109] lstrcmpiW (lpString1=".xlsx", lpString2="t.jpg") returned -1 [0068.109] lstrlenW (lpString=".ppt") returned 4 [0068.109] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0068.109] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg") returned 67 [0068.109] lstrlenW (lpString=".zip") returned 4 [0068.109] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0068.109] lstrlenW (lpString=".rar") returned 4 [0068.109] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0068.109] lstrlenW (lpString=".bz2") returned 4 [0068.109] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0068.109] lstrlenW (lpString=".7z") returned 3 [0068.109] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0068.110] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg") returned 67 [0068.110] lstrlenW (lpString=".dbf") returned 4 [0068.110] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0068.110] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg") returned 67 [0068.110] lstrlenW (lpString=".1cd") returned 4 [0068.110] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0068.110] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg") returned 67 [0068.110] lstrlenW (lpString=".jpg") returned 4 [0068.110] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0068.110] lstrcmpiW (lpString1=".GIF", lpString2=".bmd") returned 1 [0068.110] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0068.110] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0068.111] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=2848) returned 1 [0068.111] CloseHandle (hObject=0x214) returned 1 [0068.114] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif")) returned 0x20 [0068.114] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0068.114] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0068.114] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0068.114] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0068.115] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0069.132] GetLastError () returned 0x0 [0069.132] ReadFile (in: hFile=0x214, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0xb20, lpOverlapped=0x0) returned 1 [0069.145] WriteFile (in: hFile=0x20c, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0xb30, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0xb30, lpOverlapped=0x0) returned 1 [0069.146] ReadFile (in: hFile=0x214, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0069.146] WriteFile (in: hFile=0x20c, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0xea, lpOverlapped=0x0) returned 1 [0069.146] SetEndOfFile (hFile=0x20c) returned 1 [0069.146] CloseHandle (hObject=0x20c) returned 1 [0069.147] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0069.147] SetEndOfFile (hFile=0x214) returned 1 [0069.148] CloseHandle (hObject=0x214) returned 1 [0069.148] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0069.148] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif")) returned 1 [0069.149] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0069.149] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0069.149] lstrlenW (lpString=".doc") returned 4 [0069.149] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0069.149] lstrlenW (lpString=".docx") returned 5 [0069.149] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0069.149] lstrlenW (lpString=".pdf") returned 4 [0069.149] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0069.149] lstrlenW (lpString=".xls") returned 4 [0069.149] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0069.149] lstrlenW (lpString=".xlsx") returned 5 [0069.149] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0069.149] lstrlenW (lpString=".ppt") returned 4 [0069.149] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0069.149] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0069.149] lstrlenW (lpString=".zip") returned 4 [0069.149] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0069.149] lstrlenW (lpString=".rar") returned 4 [0069.149] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0069.149] lstrlenW (lpString=".bz2") returned 4 [0069.150] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0069.150] lstrlenW (lpString=".7z") returned 3 [0069.150] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0069.150] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0069.150] lstrlenW (lpString=".dbf") returned 4 [0069.150] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0069.150] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0069.150] lstrlenW (lpString=".1cd") returned 4 [0069.150] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0069.150] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0069.150] lstrlenW (lpString=".jpg") returned 4 [0069.150] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0069.150] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0069.150] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0069.150] lstrlenW (lpString=".doc") returned 4 [0069.150] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0069.150] lstrlenW (lpString=".docx") returned 5 [0069.150] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0069.150] lstrlenW (lpString=".pdf") returned 4 [0069.150] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0069.150] lstrlenW (lpString=".xls") returned 4 [0069.150] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0069.151] lstrlenW (lpString=".xlsx") returned 5 [0069.151] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0069.151] lstrlenW (lpString=".ppt") returned 4 [0069.151] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0069.151] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0069.151] lstrlenW (lpString=".zip") returned 4 [0069.151] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0069.151] lstrlenW (lpString=".rar") returned 4 [0069.151] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0069.151] lstrlenW (lpString=".bz2") returned 4 [0069.151] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0069.151] lstrlenW (lpString=".7z") returned 3 [0069.151] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0069.151] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0069.151] lstrlenW (lpString=".dbf") returned 4 [0069.151] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0069.151] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0069.151] lstrlenW (lpString=".1cd") returned 4 [0069.151] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0069.151] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0069.151] lstrlenW (lpString=".jpg") returned 4 [0069.152] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0069.152] lstrcmpiW (lpString1=".GIF", lpString2=".bmd") returned 1 [0069.152] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0069.152] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0069.162] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=1560) returned 1 [0069.162] CloseHandle (hObject=0x214) returned 1 [0069.162] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif")) returned 0x20 [0069.162] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0069.163] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0069.163] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0069.163] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0069.163] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0069.166] GetLastError () returned 0x0 [0069.166] ReadFile (in: hFile=0x214, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x618, lpOverlapped=0x0) returned 1 [0069.171] WriteFile (in: hFile=0x20c, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0x620, lpOverlapped=0x0) returned 1 [0069.173] ReadFile (in: hFile=0x214, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0069.173] WriteFile (in: hFile=0x20c, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0xea, lpOverlapped=0x0) returned 1 [0069.173] SetEndOfFile (hFile=0x20c) returned 1 [0069.173] CloseHandle (hObject=0x20c) returned 1 [0069.173] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0069.173] SetEndOfFile (hFile=0x214) returned 1 [0069.174] CloseHandle (hObject=0x214) returned 1 [0069.175] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0069.175] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif")) returned 1 [0069.175] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0069.175] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0069.175] lstrlenW (lpString=".doc") returned 4 [0069.175] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0069.175] lstrlenW (lpString=".docx") returned 5 [0069.176] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0069.176] lstrlenW (lpString=".pdf") returned 4 [0069.176] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0069.176] lstrlenW (lpString=".xls") returned 4 [0069.176] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0069.176] lstrlenW (lpString=".xlsx") returned 5 [0069.176] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0069.176] lstrlenW (lpString=".ppt") returned 4 [0069.176] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0069.176] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0069.176] lstrlenW (lpString=".zip") returned 4 [0069.176] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0069.176] lstrlenW (lpString=".rar") returned 4 [0069.176] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0069.176] lstrlenW (lpString=".bz2") returned 4 [0069.176] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0069.176] lstrlenW (lpString=".7z") returned 3 [0069.176] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0069.176] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0069.176] lstrlenW (lpString=".dbf") returned 4 [0069.176] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0069.176] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0069.176] lstrlenW (lpString=".1cd") returned 4 [0069.176] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0069.177] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0069.177] lstrlenW (lpString=".jpg") returned 4 [0069.177] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0069.177] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0069.177] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0069.177] lstrlenW (lpString=".doc") returned 4 [0069.177] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0069.177] lstrlenW (lpString=".docx") returned 5 [0069.177] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0069.177] lstrlenW (lpString=".pdf") returned 4 [0069.177] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0069.177] lstrlenW (lpString=".xls") returned 4 [0069.177] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0069.177] lstrlenW (lpString=".xlsx") returned 5 [0069.177] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0069.177] lstrlenW (lpString=".ppt") returned 4 [0069.177] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0069.177] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0069.177] lstrlenW (lpString=".zip") returned 4 [0069.177] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0069.177] lstrlenW (lpString=".rar") returned 4 [0069.178] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0069.178] lstrlenW (lpString=".bz2") returned 4 [0069.178] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0069.178] lstrlenW (lpString=".7z") returned 3 [0069.178] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0069.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0069.178] lstrlenW (lpString=".dbf") returned 4 [0069.178] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0069.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0069.178] lstrlenW (lpString=".1cd") returned 4 [0069.178] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0069.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0069.178] lstrlenW (lpString=".jpg") returned 4 [0069.178] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0069.178] lstrcmpiW (lpString1=".PNG", lpString2=".bmd") returned 1 [0069.178] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0069.179] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0069.179] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=33009) returned 1 [0069.179] CloseHandle (hObject=0x214) returned 1 [0069.179] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png")) returned 0x20 [0069.179] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0069.179] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0069.180] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0069.180] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0069.809] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0069.810] GetLastError () returned 0x0 [0069.810] ReadFile (in: hFile=0x214, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x80f1, lpOverlapped=0x0) returned 1 [0069.903] WriteFile (in: hFile=0x20c, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0x8100, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0x8100, lpOverlapped=0x0) returned 1 [0069.905] ReadFile (in: hFile=0x214, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0069.905] WriteFile (in: hFile=0x20c, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0xec, lpOverlapped=0x0) returned 1 [0069.905] SetEndOfFile (hFile=0x20c) returned 1 [0069.906] CloseHandle (hObject=0x20c) returned 1 [0069.906] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0069.906] SetEndOfFile (hFile=0x214) returned 1 [0069.907] CloseHandle (hObject=0x214) returned 1 [0069.907] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0069.908] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png")) returned 1 [0069.908] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0069.908] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0069.908] lstrlenW (lpString=".doc") returned 4 [0069.908] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0069.908] lstrlenW (lpString=".docx") returned 5 [0069.908] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0069.908] lstrlenW (lpString=".pdf") returned 4 [0069.908] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0069.908] lstrlenW (lpString=".xls") returned 4 [0069.908] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0069.908] lstrlenW (lpString=".xlsx") returned 5 [0069.909] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0069.909] lstrlenW (lpString=".ppt") returned 4 [0069.909] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0069.909] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0069.909] lstrlenW (lpString=".zip") returned 4 [0069.909] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0069.909] lstrlenW (lpString=".rar") returned 4 [0069.909] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0069.909] lstrlenW (lpString=".bz2") returned 4 [0069.909] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0069.909] lstrlenW (lpString=".7z") returned 3 [0069.909] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0069.909] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0069.909] lstrlenW (lpString=".dbf") returned 4 [0069.909] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0069.909] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0069.909] lstrlenW (lpString=".1cd") returned 4 [0069.909] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0069.909] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0069.909] lstrlenW (lpString=".jpg") returned 4 [0069.909] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0069.909] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0069.909] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0069.909] lstrlenW (lpString=".doc") returned 4 [0069.909] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0069.910] lstrlenW (lpString=".docx") returned 5 [0069.910] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0069.910] lstrlenW (lpString=".pdf") returned 4 [0069.910] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0069.910] lstrlenW (lpString=".xls") returned 4 [0069.910] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0069.910] lstrlenW (lpString=".xlsx") returned 5 [0069.910] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0069.910] lstrlenW (lpString=".ppt") returned 4 [0069.910] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0069.910] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0069.910] lstrlenW (lpString=".zip") returned 4 [0069.910] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0069.910] lstrlenW (lpString=".rar") returned 4 [0069.910] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0069.910] lstrlenW (lpString=".bz2") returned 4 [0069.910] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0069.910] lstrlenW (lpString=".7z") returned 3 [0069.910] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0069.910] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0069.910] lstrlenW (lpString=".dbf") returned 4 [0069.910] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0069.910] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0069.910] lstrlenW (lpString=".1cd") returned 4 [0069.910] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0069.910] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0069.910] lstrlenW (lpString=".jpg") returned 4 [0069.910] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0069.911] lstrcmpiW (lpString1=".GIF", lpString2=".bmd") returned 1 [0069.911] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0069.911] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0069.911] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=1925) returned 1 [0069.912] CloseHandle (hObject=0x214) returned 1 [0069.912] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif")) returned 0x20 [0069.912] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0069.912] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0069.912] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0069.912] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0069.912] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0069.923] GetLastError () returned 0x0 [0069.923] ReadFile (in: hFile=0x214, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x785, lpOverlapped=0x0) returned 1 [0069.928] WriteFile (in: hFile=0x20c, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0x790, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0x790, lpOverlapped=0x0) returned 1 [0069.929] ReadFile (in: hFile=0x214, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0069.929] WriteFile (in: hFile=0x20c, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0xea, lpOverlapped=0x0) returned 1 [0069.929] SetEndOfFile (hFile=0x20c) returned 1 [0069.929] CloseHandle (hObject=0x20c) returned 1 [0069.930] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0069.930] SetEndOfFile (hFile=0x214) returned 1 [0069.932] CloseHandle (hObject=0x214) returned 1 [0069.932] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0069.932] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif")) returned 1 [0069.933] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0069.933] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0069.933] lstrlenW (lpString=".doc") returned 4 [0069.933] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0069.933] lstrlenW (lpString=".docx") returned 5 [0069.933] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0069.933] lstrlenW (lpString=".pdf") returned 4 [0069.933] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0069.933] lstrlenW (lpString=".xls") returned 4 [0069.933] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0069.933] lstrlenW (lpString=".xlsx") returned 5 [0069.933] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0069.933] lstrlenW (lpString=".ppt") returned 4 [0069.933] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0069.933] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0069.933] lstrlenW (lpString=".zip") returned 4 [0069.933] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0069.933] lstrlenW (lpString=".rar") returned 4 [0069.933] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0069.933] lstrlenW (lpString=".bz2") returned 4 [0069.933] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0069.933] lstrlenW (lpString=".7z") returned 3 [0069.933] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0069.933] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0069.933] lstrlenW (lpString=".dbf") returned 4 [0069.933] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0069.934] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0069.934] lstrlenW (lpString=".1cd") returned 4 [0069.934] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0069.934] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0069.934] lstrlenW (lpString=".jpg") returned 4 [0069.934] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0069.934] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0069.934] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0069.934] lstrlenW (lpString=".doc") returned 4 [0069.934] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0069.934] lstrlenW (lpString=".docx") returned 5 [0069.934] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0069.934] lstrlenW (lpString=".pdf") returned 4 [0069.934] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0069.934] lstrlenW (lpString=".xls") returned 4 [0069.934] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0069.934] lstrlenW (lpString=".xlsx") returned 5 [0069.934] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0069.934] lstrlenW (lpString=".ppt") returned 4 [0069.934] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0069.934] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0069.934] lstrlenW (lpString=".zip") returned 4 [0069.934] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0069.934] lstrlenW (lpString=".rar") returned 4 [0069.934] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0069.934] lstrlenW (lpString=".bz2") returned 4 [0069.934] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0069.935] lstrlenW (lpString=".7z") returned 3 [0069.935] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0069.935] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0069.935] lstrlenW (lpString=".dbf") returned 4 [0069.935] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0069.935] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0069.935] lstrlenW (lpString=".1cd") returned 4 [0069.935] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0069.935] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0069.935] lstrlenW (lpString=".jpg") returned 4 [0069.935] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0069.935] lstrcmpiW (lpString1=".PNG", lpString2=".bmd") returned 1 [0069.935] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0069.935] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0069.961] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=27407) returned 1 [0069.961] CloseHandle (hObject=0x204) returned 1 [0069.962] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png")) returned 0x20 [0069.962] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0069.962] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0069.962] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0069.962] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0069.962] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0069.963] GetLastError () returned 0x0 [0069.963] ReadFile (in: hFile=0x204, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x6b0f, lpOverlapped=0x0) returned 1 [0070.521] WriteFile (in: hFile=0x214, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0x6b10, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0x6b10, lpOverlapped=0x0) returned 1 [0070.524] ReadFile (in: hFile=0x204, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0070.524] WriteFile (in: hFile=0x214, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0xec, lpOverlapped=0x0) returned 1 [0070.524] SetEndOfFile (hFile=0x214) returned 1 [0070.524] CloseHandle (hObject=0x214) returned 1 [0070.524] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0070.524] SetEndOfFile (hFile=0x204) returned 1 [0070.526] CloseHandle (hObject=0x204) returned 1 [0070.526] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0070.526] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png")) returned 1 [0070.527] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0070.527] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0070.527] lstrlenW (lpString=".doc") returned 4 [0070.527] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0070.527] lstrlenW (lpString=".docx") returned 5 [0070.527] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0070.527] lstrlenW (lpString=".pdf") returned 4 [0070.527] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0070.527] lstrlenW (lpString=".xls") returned 4 [0070.527] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0070.527] lstrlenW (lpString=".xlsx") returned 5 [0070.527] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0070.527] lstrlenW (lpString=".ppt") returned 4 [0070.527] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0070.528] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0070.528] lstrlenW (lpString=".zip") returned 4 [0070.528] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0070.528] lstrlenW (lpString=".rar") returned 4 [0070.528] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0070.528] lstrlenW (lpString=".bz2") returned 4 [0070.528] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0070.528] lstrlenW (lpString=".7z") returned 3 [0070.528] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0070.528] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0070.528] lstrlenW (lpString=".dbf") returned 4 [0070.528] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0070.528] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0070.528] lstrlenW (lpString=".1cd") returned 4 [0070.528] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0070.528] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0070.528] lstrlenW (lpString=".jpg") returned 4 [0070.529] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0070.529] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0070.529] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0070.529] lstrlenW (lpString=".doc") returned 4 [0070.529] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0070.529] lstrlenW (lpString=".docx") returned 5 [0070.529] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0070.529] lstrlenW (lpString=".pdf") returned 4 [0070.529] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0070.529] lstrlenW (lpString=".xls") returned 4 [0070.529] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0070.529] lstrlenW (lpString=".xlsx") returned 5 [0070.529] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0070.529] lstrlenW (lpString=".ppt") returned 4 [0070.529] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0070.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0070.530] lstrlenW (lpString=".zip") returned 4 [0070.530] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0070.530] lstrlenW (lpString=".rar") returned 4 [0070.530] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0070.530] lstrlenW (lpString=".bz2") returned 4 [0070.530] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0070.530] lstrlenW (lpString=".7z") returned 3 [0070.530] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0070.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0070.530] lstrlenW (lpString=".dbf") returned 4 [0070.530] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0070.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0070.530] lstrlenW (lpString=".1cd") returned 4 [0070.531] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0070.531] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0070.531] lstrlenW (lpString=".jpg") returned 4 [0070.531] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0070.531] lstrcmpiW (lpString1=".GIF", lpString2=".bmd") returned 1 [0070.531] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0070.531] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0070.542] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=2044) returned 1 [0070.542] CloseHandle (hObject=0x214) returned 1 [0070.542] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif")) returned 0x20 [0070.542] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0070.542] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0070.542] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0070.542] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0070.542] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0070.585] GetLastError () returned 0x0 [0070.586] ReadFile (in: hFile=0x214, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x7fc, lpOverlapped=0x0) returned 1 [0070.592] WriteFile (in: hFile=0x1f8, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0x800, lpOverlapped=0x0) returned 1 [0070.594] ReadFile (in: hFile=0x214, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0070.594] WriteFile (in: hFile=0x1f8, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0xea, lpOverlapped=0x0) returned 1 [0070.594] SetEndOfFile (hFile=0x1f8) returned 1 [0070.594] CloseHandle (hObject=0x1f8) returned 1 [0070.594] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0070.595] SetEndOfFile (hFile=0x214) returned 1 [0070.596] CloseHandle (hObject=0x214) returned 1 [0070.596] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0070.596] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif")) returned 1 [0070.597] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0070.597] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0070.597] lstrlenW (lpString=".doc") returned 4 [0070.597] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0070.597] lstrlenW (lpString=".docx") returned 5 [0070.597] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0070.597] lstrlenW (lpString=".pdf") returned 4 [0070.597] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0070.597] lstrlenW (lpString=".xls") returned 4 [0070.597] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0070.597] lstrlenW (lpString=".xlsx") returned 5 [0070.597] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0070.597] lstrlenW (lpString=".ppt") returned 4 [0070.598] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0070.598] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0070.598] lstrlenW (lpString=".zip") returned 4 [0070.598] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0070.598] lstrlenW (lpString=".rar") returned 4 [0070.598] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0070.598] lstrlenW (lpString=".bz2") returned 4 [0070.598] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0070.598] lstrlenW (lpString=".7z") returned 3 [0070.598] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0070.598] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0070.598] lstrlenW (lpString=".dbf") returned 4 [0070.598] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0070.598] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0070.599] lstrlenW (lpString=".1cd") returned 4 [0070.599] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0070.599] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0070.599] lstrlenW (lpString=".jpg") returned 4 [0070.599] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0070.599] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0070.599] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0070.599] lstrlenW (lpString=".doc") returned 4 [0070.600] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0070.600] lstrlenW (lpString=".docx") returned 5 [0070.600] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0070.600] lstrlenW (lpString=".pdf") returned 4 [0070.600] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0070.600] lstrlenW (lpString=".xls") returned 4 [0070.600] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0070.600] lstrlenW (lpString=".xlsx") returned 5 [0070.600] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0070.600] lstrlenW (lpString=".ppt") returned 4 [0070.600] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0070.600] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0070.600] lstrlenW (lpString=".zip") returned 4 [0070.600] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0070.600] lstrlenW (lpString=".rar") returned 4 [0070.600] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0070.600] lstrlenW (lpString=".bz2") returned 4 [0070.600] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0070.600] lstrlenW (lpString=".7z") returned 3 [0070.600] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0070.601] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0070.601] lstrlenW (lpString=".dbf") returned 4 [0070.601] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0070.601] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0070.601] lstrlenW (lpString=".1cd") returned 4 [0070.601] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0070.601] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0070.601] lstrlenW (lpString=".jpg") returned 4 [0070.601] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0070.601] lstrcmpiW (lpString1=".PNG", lpString2=".bmd") returned 1 [0070.601] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0070.601] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0070.602] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=29925) returned 1 [0070.602] CloseHandle (hObject=0x214) returned 1 [0070.602] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png")) returned 0x20 [0070.602] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0070.602] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0070.603] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0070.603] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0070.603] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0070.603] GetLastError () returned 0x0 [0070.603] ReadFile (in: hFile=0x214, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x74e5, lpOverlapped=0x0) returned 1 [0070.987] WriteFile (in: hFile=0x1f8, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0x74f0, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0x74f0, lpOverlapped=0x0) returned 1 [0070.989] ReadFile (in: hFile=0x214, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0070.989] WriteFile (in: hFile=0x1f8, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0xec, lpOverlapped=0x0) returned 1 [0070.989] SetEndOfFile (hFile=0x1f8) returned 1 [0070.989] CloseHandle (hObject=0x1f8) returned 1 [0070.990] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0070.990] SetEndOfFile (hFile=0x214) returned 1 [0070.991] CloseHandle (hObject=0x214) returned 1 [0070.991] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0070.992] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png")) returned 1 [0070.992] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0070.992] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0070.992] lstrlenW (lpString=".doc") returned 4 [0070.992] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0070.992] lstrlenW (lpString=".docx") returned 5 [0070.992] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0070.992] lstrlenW (lpString=".pdf") returned 4 [0070.992] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0070.992] lstrlenW (lpString=".xls") returned 4 [0070.992] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0070.993] lstrlenW (lpString=".xlsx") returned 5 [0070.993] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0070.993] lstrlenW (lpString=".ppt") returned 4 [0070.993] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0070.993] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0070.993] lstrlenW (lpString=".zip") returned 4 [0070.993] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0070.993] lstrlenW (lpString=".rar") returned 4 [0070.993] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0070.993] lstrlenW (lpString=".bz2") returned 4 [0070.993] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0070.993] lstrlenW (lpString=".7z") returned 3 [0070.993] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0070.993] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0070.993] lstrlenW (lpString=".dbf") returned 4 [0070.993] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0070.993] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0070.993] lstrlenW (lpString=".1cd") returned 4 [0070.993] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0070.993] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0070.993] lstrlenW (lpString=".jpg") returned 4 [0070.993] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0070.993] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0070.993] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0070.993] lstrlenW (lpString=".doc") returned 4 [0070.993] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0070.994] lstrlenW (lpString=".docx") returned 5 [0070.994] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0070.994] lstrlenW (lpString=".pdf") returned 4 [0070.994] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0070.994] lstrlenW (lpString=".xls") returned 4 [0070.994] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0070.994] lstrlenW (lpString=".xlsx") returned 5 [0070.994] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0070.994] lstrlenW (lpString=".ppt") returned 4 [0070.994] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0070.994] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0070.994] lstrlenW (lpString=".zip") returned 4 [0070.994] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0070.994] lstrlenW (lpString=".rar") returned 4 [0070.994] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0070.994] lstrlenW (lpString=".bz2") returned 4 [0070.994] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0070.994] lstrlenW (lpString=".7z") returned 3 [0070.994] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0070.994] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0070.994] lstrlenW (lpString=".dbf") returned 4 [0070.994] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0070.994] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0070.994] lstrlenW (lpString=".1cd") returned 4 [0070.994] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0070.994] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0070.994] lstrlenW (lpString=".jpg") returned 4 [0070.995] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0070.995] lstrcmpiW (lpString1=".PNG", lpString2=".bmd") returned 1 [0070.995] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0070.995] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0070.995] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=20575) returned 1 [0070.995] CloseHandle (hObject=0x214) returned 1 [0070.996] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png")) returned 0x20 [0070.996] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0070.996] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0070.996] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0070.996] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0070.996] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0070.997] GetLastError () returned 0x0 [0070.997] ReadFile (in: hFile=0x214, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x505f, lpOverlapped=0x0) returned 1 [0070.999] WriteFile (in: hFile=0x1f8, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0x5060, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0x5060, lpOverlapped=0x0) returned 1 [0071.001] ReadFile (in: hFile=0x214, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0071.001] WriteFile (in: hFile=0x1f8, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0xec, lpOverlapped=0x0) returned 1 [0071.001] SetEndOfFile (hFile=0x1f8) returned 1 [0071.001] CloseHandle (hObject=0x1f8) returned 1 [0071.001] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0071.001] SetEndOfFile (hFile=0x214) returned 1 [0071.003] CloseHandle (hObject=0x214) returned 1 [0071.003] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0071.003] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png")) returned 1 [0071.003] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0071.003] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0071.003] lstrlenW (lpString=".doc") returned 4 [0071.003] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0071.004] lstrlenW (lpString=".docx") returned 5 [0071.004] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0071.004] lstrlenW (lpString=".pdf") returned 4 [0071.004] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0071.004] lstrlenW (lpString=".xls") returned 4 [0071.004] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0071.004] lstrlenW (lpString=".xlsx") returned 5 [0071.004] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0071.004] lstrlenW (lpString=".ppt") returned 4 [0071.004] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0071.004] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0071.004] lstrlenW (lpString=".zip") returned 4 [0071.004] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0071.004] lstrlenW (lpString=".rar") returned 4 [0071.004] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0071.004] lstrlenW (lpString=".bz2") returned 4 [0071.004] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0071.004] lstrlenW (lpString=".7z") returned 3 [0071.004] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0071.004] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0071.004] lstrlenW (lpString=".dbf") returned 4 [0071.004] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0071.004] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0071.004] lstrlenW (lpString=".1cd") returned 4 [0071.004] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0071.004] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0071.004] lstrlenW (lpString=".jpg") returned 4 [0071.005] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0071.005] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0071.005] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0071.005] lstrlenW (lpString=".doc") returned 4 [0071.005] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0071.005] lstrlenW (lpString=".docx") returned 5 [0071.005] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0071.005] lstrlenW (lpString=".pdf") returned 4 [0071.005] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0071.005] lstrlenW (lpString=".xls") returned 4 [0071.005] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0071.005] lstrlenW (lpString=".xlsx") returned 5 [0071.005] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0071.006] lstrlenW (lpString=".ppt") returned 4 [0071.006] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0071.006] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0071.006] lstrlenW (lpString=".zip") returned 4 [0071.006] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0071.006] lstrlenW (lpString=".rar") returned 4 [0071.006] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0071.006] lstrlenW (lpString=".bz2") returned 4 [0071.006] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0071.006] lstrlenW (lpString=".7z") returned 3 [0071.006] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0071.006] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0071.006] lstrlenW (lpString=".dbf") returned 4 [0071.006] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0071.006] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0071.006] lstrlenW (lpString=".1cd") returned 4 [0071.006] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0071.006] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0071.006] lstrlenW (lpString=".jpg") returned 4 [0071.006] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0071.006] lstrcmpiW (lpString1=".GIF", lpString2=".bmd") returned 1 [0071.007] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0071.007] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0071.007] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=1287) returned 1 [0071.007] CloseHandle (hObject=0x214) returned 1 [0071.007] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif")) returned 0x20 [0071.007] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0071.008] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0071.008] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0071.008] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0071.008] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0071.035] GetLastError () returned 0x0 [0071.035] ReadFile (in: hFile=0x214, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x507, lpOverlapped=0x0) returned 1 [0071.037] WriteFile (in: hFile=0x21c, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0x510, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0x510, lpOverlapped=0x0) returned 1 [0071.038] ReadFile (in: hFile=0x214, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesRead=0x2dafed4*=0x0, lpOverlapped=0x0) returned 1 [0071.038] WriteFile (in: hFile=0x21c, lpBuffer=0x3610020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2dafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3610020*, lpNumberOfBytesWritten=0x2dafc9c*=0xea, lpOverlapped=0x0) returned 1 [0071.039] SetEndOfFile (hFile=0x21c) returned 1 [0071.039] CloseHandle (hObject=0x21c) returned 1 [0071.039] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0071.039] SetEndOfFile (hFile=0x214) returned 1 [0071.040] CloseHandle (hObject=0x214) returned 1 [0071.040] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0071.041] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif")) returned 1 [0071.041] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0071.041] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0071.041] lstrlenW (lpString=".doc") returned 4 [0071.041] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0071.041] lstrlenW (lpString=".docx") returned 5 [0071.041] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0071.041] lstrlenW (lpString=".pdf") returned 4 [0071.041] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0071.041] lstrlenW (lpString=".xls") returned 4 [0071.041] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0071.041] lstrlenW (lpString=".xlsx") returned 5 [0071.041] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0071.041] lstrlenW (lpString=".ppt") returned 4 [0071.041] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0071.042] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0071.042] lstrlenW (lpString=".zip") returned 4 [0071.042] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0071.042] lstrlenW (lpString=".rar") returned 4 [0071.042] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0071.042] lstrlenW (lpString=".bz2") returned 4 [0071.042] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0071.042] lstrlenW (lpString=".7z") returned 3 [0071.042] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0071.042] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0071.042] lstrlenW (lpString=".dbf") returned 4 [0071.042] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0071.042] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0071.042] lstrlenW (lpString=".1cd") returned 4 [0071.042] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0071.042] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0071.042] lstrlenW (lpString=".jpg") returned 4 [0071.042] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0071.042] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0071.042] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0071.042] lstrlenW (lpString=".doc") returned 4 [0071.042] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0071.042] lstrlenW (lpString=".docx") returned 5 [0071.042] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0071.042] lstrlenW (lpString=".pdf") returned 4 [0071.043] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0071.043] lstrlenW (lpString=".xls") returned 4 [0071.043] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0071.043] lstrlenW (lpString=".xlsx") returned 5 [0071.043] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0071.043] lstrlenW (lpString=".ppt") returned 4 [0071.043] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0071.043] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0071.043] lstrlenW (lpString=".zip") returned 4 [0071.043] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0071.043] lstrlenW (lpString=".rar") returned 4 [0071.043] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0071.043] lstrlenW (lpString=".bz2") returned 4 [0071.043] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0071.043] lstrlenW (lpString=".7z") returned 3 [0071.043] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0071.043] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0071.043] lstrlenW (lpString=".dbf") returned 4 [0071.043] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0071.043] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0071.043] lstrlenW (lpString=".1cd") returned 4 [0071.043] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0071.043] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0071.043] lstrlenW (lpString=".jpg") returned 4 [0071.043] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0071.044] lstrcmpiW (lpString1=".PNG", lpString2=".bmd") returned 1 [0071.044] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0071.044] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0071.044] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x2daff1c | out: lpFileSize=0x2daff1c*=28595) returned 1 [0071.044] CloseHandle (hObject=0x214) returned 1 [0071.044] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png")) returned 0x20 [0071.045] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0071.045] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0071.045] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0071.045] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dafec8 | out: lpNewFilePointer=0x0) returned 1 [0071.045] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0071.045] GetLastError () returned 0x0 [0071.045] ReadFile (hFile=0x214, lpBuffer=0x3610020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dafed4, lpOverlapped=0x0) Thread: id = 14 os_tid = 0x7ec [0047.363] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10000) returned 0x3860048 [0047.363] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10000) returned 0x3870050 [0047.363] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x6469d0 [0047.363] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x6) returned 0x63ce68 [0047.363] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x6469e8 [0047.363] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x100000) returned 0x3960020 [0047.364] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x646a00 [0047.364] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x646a00, Size=0x20) returned 0x63c708 [0047.364] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x646a00 [0047.364] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x646a00, Size=0x20) returned 0x63c690 [0047.364] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0047.364] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0047.364] Wow64DisableWow64FsRedirection (in: OldValue=0x2eeff58 | out: OldValue=0x2eeff58*=0x0) returned 1 [0047.364] lstrlenW (lpString="kernel32.dll") returned 12 [0047.364] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63c708 | out: hHeap=0x5f0000) returned 1 [0047.364] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0047.364] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63c690 | out: hHeap=0x5f0000) returned 1 [0047.364] Sleep (dwMilliseconds=0x64) [0047.495] Sleep (dwMilliseconds=0x64) [0047.734] Sleep (dwMilliseconds=0x64) [0047.847] Sleep (dwMilliseconds=0x64) [0047.950] Sleep (dwMilliseconds=0x64) [0048.092] Sleep (dwMilliseconds=0x64) [0048.473] Sleep (dwMilliseconds=0x64) [0048.808] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0048.808] lstrlenW (lpString="PowerPointMUI.xml") returned 17 [0048.808] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0048.809] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2eeff1c | out: lpFileSize=0x2eeff1c*=1450) returned 1 [0048.809] CloseHandle (hObject=0x190) returned 1 [0048.809] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml")) returned 0x2020 [0048.809] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0048.809] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0048.809] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0048.809] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0048.810] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0048.810] GetLastError () returned 0x0 [0048.810] ReadFile (in: hFile=0x190, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x5aa, lpOverlapped=0x0) returned 1 [0049.888] WriteFile (in: hFile=0x198, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0049.890] ReadFile (in: hFile=0x190, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x0, lpOverlapped=0x0) returned 1 [0049.890] WriteFile (in: hFile=0x198, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0xf6, lpOverlapped=0x0) returned 1 [0049.890] SetEndOfFile (hFile=0x198) returned 1 [0049.891] CloseHandle (hObject=0x198) returned 1 [0049.892] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0049.892] SetEndOfFile (hFile=0x190) returned 1 [0049.893] CloseHandle (hObject=0x190) returned 1 [0049.893] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0049.893] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml")) returned 1 [0049.894] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0049.894] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0049.894] lstrlenW (lpString=".doc") returned 4 [0049.894] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0049.894] lstrlenW (lpString=".docx") returned 5 [0049.894] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0049.894] lstrlenW (lpString=".pdf") returned 4 [0049.894] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0049.894] lstrlenW (lpString=".xls") returned 4 [0049.894] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0049.894] lstrlenW (lpString=".xlsx") returned 5 [0049.894] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0049.894] lstrlenW (lpString=".ppt") returned 4 [0049.894] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0049.894] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0049.894] lstrlenW (lpString=".zip") returned 4 [0049.894] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0049.895] lstrlenW (lpString=".rar") returned 4 [0049.895] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0049.895] lstrlenW (lpString=".bz2") returned 4 [0049.895] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0049.895] lstrlenW (lpString=".7z") returned 3 [0049.895] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0049.895] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0049.895] lstrlenW (lpString=".dbf") returned 4 [0049.895] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0049.895] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0049.895] lstrlenW (lpString=".1cd") returned 4 [0049.895] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0049.895] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0049.895] lstrlenW (lpString=".jpg") returned 4 [0049.895] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0049.895] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0049.895] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0049.895] lstrlenW (lpString=".doc") returned 4 [0049.895] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0049.895] lstrlenW (lpString=".docx") returned 5 [0049.895] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0049.895] lstrlenW (lpString=".pdf") returned 4 [0049.895] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0049.895] lstrlenW (lpString=".xls") returned 4 [0049.895] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0049.895] lstrlenW (lpString=".xlsx") returned 5 [0049.895] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0049.895] lstrlenW (lpString=".ppt") returned 4 [0049.895] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0049.896] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0049.896] lstrlenW (lpString=".zip") returned 4 [0049.896] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0049.896] lstrlenW (lpString=".rar") returned 4 [0049.896] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0049.896] lstrlenW (lpString=".bz2") returned 4 [0049.896] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0049.896] lstrlenW (lpString=".7z") returned 3 [0049.896] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0049.896] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0049.896] lstrlenW (lpString=".dbf") returned 4 [0049.896] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0049.896] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0049.896] lstrlenW (lpString=".1cd") returned 4 [0049.896] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0049.896] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0049.896] lstrlenW (lpString=".jpg") returned 4 [0049.896] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0049.896] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0049.896] lstrlenW (lpString="Proof.xml") returned 9 [0049.896] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0049.897] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2eeff1c | out: lpFileSize=0x2eeff1c*=1347) returned 1 [0049.898] CloseHandle (hObject=0x190) returned 1 [0049.898] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml")) returned 0x2020 [0049.898] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0049.898] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0049.898] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0049.898] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0049.900] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0049.900] GetLastError () returned 0x0 [0049.900] ReadFile (in: hFile=0x190, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x543, lpOverlapped=0x0) returned 1 [0051.121] WriteFile (in: hFile=0x198, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0x550, lpOverlapped=0x0) returned 1 [0051.123] ReadFile (in: hFile=0x190, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x0, lpOverlapped=0x0) returned 1 [0051.123] WriteFile (in: hFile=0x198, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0xe6, lpOverlapped=0x0) returned 1 [0051.123] SetEndOfFile (hFile=0x198) returned 1 [0051.123] CloseHandle (hObject=0x198) returned 1 [0051.124] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0051.124] SetEndOfFile (hFile=0x190) returned 1 [0051.125] CloseHandle (hObject=0x190) returned 1 [0051.125] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0051.126] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml")) returned 1 [0051.126] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0051.126] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0051.126] lstrlenW (lpString=".doc") returned 4 [0051.126] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0051.126] lstrlenW (lpString=".docx") returned 5 [0051.126] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0051.126] lstrlenW (lpString=".pdf") returned 4 [0051.126] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0051.126] lstrlenW (lpString=".xls") returned 4 [0051.126] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0051.126] lstrlenW (lpString=".xlsx") returned 5 [0051.126] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0051.127] lstrlenW (lpString=".ppt") returned 4 [0051.127] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0051.127] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0051.127] lstrlenW (lpString=".zip") returned 4 [0051.127] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0051.127] lstrlenW (lpString=".rar") returned 4 [0051.127] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0051.127] lstrlenW (lpString=".bz2") returned 4 [0051.127] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0051.127] lstrlenW (lpString=".7z") returned 3 [0051.127] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0051.127] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0051.127] lstrlenW (lpString=".dbf") returned 4 [0051.127] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0051.127] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0051.127] lstrlenW (lpString=".1cd") returned 4 [0051.127] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0051.127] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0051.127] lstrlenW (lpString=".jpg") returned 4 [0051.127] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0051.127] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0051.127] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0051.127] lstrlenW (lpString=".doc") returned 4 [0051.127] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0051.127] lstrlenW (lpString=".docx") returned 5 [0051.127] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0051.128] lstrlenW (lpString=".pdf") returned 4 [0051.128] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0051.128] lstrlenW (lpString=".xls") returned 4 [0051.128] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0051.128] lstrlenW (lpString=".xlsx") returned 5 [0051.128] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0051.128] lstrlenW (lpString=".ppt") returned 4 [0051.128] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0051.128] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0051.128] lstrlenW (lpString=".zip") returned 4 [0051.128] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0051.128] lstrlenW (lpString=".rar") returned 4 [0051.128] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0051.128] lstrlenW (lpString=".bz2") returned 4 [0051.128] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0051.128] lstrlenW (lpString=".7z") returned 3 [0051.128] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0051.128] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0051.128] lstrlenW (lpString=".dbf") returned 4 [0051.128] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0051.128] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0051.128] lstrlenW (lpString=".1cd") returned 4 [0051.128] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0051.128] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0051.128] lstrlenW (lpString=".jpg") returned 4 [0051.128] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0051.129] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0051.129] lstrlenW (lpString="Setup.xml") returned 9 [0051.129] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0051.129] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2eeff1c | out: lpFileSize=0x2eeff1c*=5884) returned 1 [0051.129] CloseHandle (hObject=0x190) returned 1 [0051.129] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0051.129] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0051.129] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0051.130] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0051.130] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0051.130] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0051.130] GetLastError () returned 0x0 [0051.130] ReadFile (in: hFile=0x190, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x16fc, lpOverlapped=0x0) returned 1 [0051.241] WriteFile (in: hFile=0x198, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0x1700, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0x1700, lpOverlapped=0x0) returned 1 [0051.243] ReadFile (in: hFile=0x190, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x0, lpOverlapped=0x0) returned 1 [0051.243] WriteFile (in: hFile=0x198, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0xe6, lpOverlapped=0x0) returned 1 [0051.243] SetEndOfFile (hFile=0x198) returned 1 [0051.243] CloseHandle (hObject=0x198) returned 1 [0051.244] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0051.244] SetEndOfFile (hFile=0x190) returned 1 [0051.246] CloseHandle (hObject=0x190) returned 1 [0051.246] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0051.246] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0051.246] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.247] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.247] lstrlenW (lpString=".doc") returned 4 [0051.247] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0051.247] lstrlenW (lpString=".docx") returned 5 [0051.247] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0051.247] lstrlenW (lpString=".pdf") returned 4 [0051.247] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0051.247] lstrlenW (lpString=".xls") returned 4 [0051.247] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0051.247] lstrlenW (lpString=".xlsx") returned 5 [0051.247] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0051.247] lstrlenW (lpString=".ppt") returned 4 [0051.247] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0051.247] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.247] lstrlenW (lpString=".zip") returned 4 [0051.247] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0051.247] lstrlenW (lpString=".rar") returned 4 [0051.247] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0051.247] lstrlenW (lpString=".bz2") returned 4 [0051.247] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0051.247] lstrlenW (lpString=".7z") returned 3 [0051.247] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0051.247] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.247] lstrlenW (lpString=".dbf") returned 4 [0051.247] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0051.247] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.248] lstrlenW (lpString=".1cd") returned 4 [0051.248] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0051.248] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.248] lstrlenW (lpString=".jpg") returned 4 [0051.248] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0051.248] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.248] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.248] lstrlenW (lpString=".doc") returned 4 [0051.248] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0051.248] lstrlenW (lpString=".docx") returned 5 [0051.248] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0051.248] lstrlenW (lpString=".pdf") returned 4 [0051.248] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0051.248] lstrlenW (lpString=".xls") returned 4 [0051.248] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0051.248] lstrlenW (lpString=".xlsx") returned 5 [0051.248] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0051.248] lstrlenW (lpString=".ppt") returned 4 [0051.248] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0051.248] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.248] lstrlenW (lpString=".zip") returned 4 [0051.248] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0051.248] lstrlenW (lpString=".rar") returned 4 [0051.248] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0051.249] lstrlenW (lpString=".bz2") returned 4 [0051.249] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0051.249] lstrlenW (lpString=".7z") returned 3 [0051.249] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0051.249] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.249] lstrlenW (lpString=".dbf") returned 4 [0051.249] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0051.249] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.249] lstrlenW (lpString=".1cd") returned 4 [0051.249] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0051.249] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.249] lstrlenW (lpString=".jpg") returned 4 [0051.249] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0051.249] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0051.249] lstrlenW (lpString="Setup.xml") returned 9 [0051.249] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0051.250] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2eeff1c | out: lpFileSize=0x2eeff1c*=1852) returned 1 [0051.250] CloseHandle (hObject=0x190) returned 1 [0051.250] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0051.250] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0051.250] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0051.250] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0051.250] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0051.250] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0051.251] GetLastError () returned 0x0 [0051.251] ReadFile (in: hFile=0x190, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x73c, lpOverlapped=0x0) returned 1 [0051.277] WriteFile (in: hFile=0x198, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0x740, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0x740, lpOverlapped=0x0) returned 1 [0051.278] ReadFile (in: hFile=0x190, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x0, lpOverlapped=0x0) returned 1 [0051.278] WriteFile (in: hFile=0x198, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0xe6, lpOverlapped=0x0) returned 1 [0051.278] SetEndOfFile (hFile=0x198) returned 1 [0051.278] CloseHandle (hObject=0x198) returned 1 [0051.283] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0051.283] SetEndOfFile (hFile=0x190) returned 1 [0051.284] CloseHandle (hObject=0x190) returned 1 [0051.284] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0051.284] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0051.284] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.284] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.284] lstrlenW (lpString=".doc") returned 4 [0051.284] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0051.284] lstrlenW (lpString=".docx") returned 5 [0051.284] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0051.284] lstrlenW (lpString=".pdf") returned 4 [0051.284] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0051.284] lstrlenW (lpString=".xls") returned 4 [0051.284] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0051.284] lstrlenW (lpString=".xlsx") returned 5 [0051.285] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0051.285] lstrlenW (lpString=".ppt") returned 4 [0051.285] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0051.285] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.285] lstrlenW (lpString=".zip") returned 4 [0051.285] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0051.285] lstrlenW (lpString=".rar") returned 4 [0051.285] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0051.285] lstrlenW (lpString=".bz2") returned 4 [0051.285] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0051.285] lstrlenW (lpString=".7z") returned 3 [0051.285] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0051.285] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.285] lstrlenW (lpString=".dbf") returned 4 [0051.285] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0051.285] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.285] lstrlenW (lpString=".1cd") returned 4 [0051.285] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0051.285] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.285] lstrlenW (lpString=".jpg") returned 4 [0051.285] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0051.285] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.285] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.285] lstrlenW (lpString=".doc") returned 4 [0051.285] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0051.285] lstrlenW (lpString=".docx") returned 5 [0051.285] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0051.285] lstrlenW (lpString=".pdf") returned 4 [0051.285] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0051.285] lstrlenW (lpString=".xls") returned 4 [0051.285] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0051.285] lstrlenW (lpString=".xlsx") returned 5 [0051.285] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0051.285] lstrlenW (lpString=".ppt") returned 4 [0051.285] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0051.286] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.286] lstrlenW (lpString=".zip") returned 4 [0051.286] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0051.286] lstrlenW (lpString=".rar") returned 4 [0051.286] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0051.286] lstrlenW (lpString=".bz2") returned 4 [0051.286] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0051.286] lstrlenW (lpString=".7z") returned 3 [0051.286] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0051.286] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.286] lstrlenW (lpString=".dbf") returned 4 [0051.286] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0051.286] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.286] lstrlenW (lpString=".1cd") returned 4 [0051.286] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0051.286] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.286] lstrlenW (lpString=".jpg") returned 4 [0051.286] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0051.286] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0051.286] lstrlenW (lpString="Setup.xml") returned 9 [0051.286] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0051.287] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2eeff1c | out: lpFileSize=0x2eeff1c*=1988) returned 1 [0051.287] CloseHandle (hObject=0x190) returned 1 [0051.287] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0051.287] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0051.288] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0051.288] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0051.288] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0051.288] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0051.288] GetLastError () returned 0x0 [0051.288] ReadFile (in: hFile=0x190, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x7c4, lpOverlapped=0x0) returned 1 [0051.607] WriteFile (in: hFile=0x198, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0x7d0, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0x7d0, lpOverlapped=0x0) returned 1 [0051.608] ReadFile (in: hFile=0x190, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x0, lpOverlapped=0x0) returned 1 [0051.608] WriteFile (in: hFile=0x198, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0xe6, lpOverlapped=0x0) returned 1 [0051.609] SetEndOfFile (hFile=0x198) returned 1 [0051.609] CloseHandle (hObject=0x198) returned 1 [0051.610] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0051.610] SetEndOfFile (hFile=0x190) returned 1 [0051.611] CloseHandle (hObject=0x190) returned 1 [0051.611] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0051.612] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0051.612] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.612] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.612] lstrlenW (lpString=".doc") returned 4 [0051.612] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0051.612] lstrlenW (lpString=".docx") returned 5 [0051.612] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0051.612] lstrlenW (lpString=".pdf") returned 4 [0051.612] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0051.612] lstrlenW (lpString=".xls") returned 4 [0051.612] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0051.612] lstrlenW (lpString=".xlsx") returned 5 [0051.612] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0051.612] lstrlenW (lpString=".ppt") returned 4 [0051.612] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0051.612] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.612] lstrlenW (lpString=".zip") returned 4 [0051.612] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0051.612] lstrlenW (lpString=".rar") returned 4 [0051.612] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0051.612] lstrlenW (lpString=".bz2") returned 4 [0051.612] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0051.612] lstrlenW (lpString=".7z") returned 3 [0051.612] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0051.612] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.613] lstrlenW (lpString=".dbf") returned 4 [0051.613] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0051.613] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.613] lstrlenW (lpString=".1cd") returned 4 [0051.613] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0051.613] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.613] lstrlenW (lpString=".jpg") returned 4 [0051.613] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0051.613] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.613] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.613] lstrlenW (lpString=".doc") returned 4 [0051.613] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0051.613] lstrlenW (lpString=".docx") returned 5 [0051.613] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0051.613] lstrlenW (lpString=".pdf") returned 4 [0051.613] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0051.613] lstrlenW (lpString=".xls") returned 4 [0051.613] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0051.613] lstrlenW (lpString=".xlsx") returned 5 [0051.613] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0051.613] lstrlenW (lpString=".ppt") returned 4 [0051.613] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0051.613] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.613] lstrlenW (lpString=".zip") returned 4 [0051.613] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0051.613] lstrlenW (lpString=".rar") returned 4 [0051.613] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0051.613] lstrlenW (lpString=".bz2") returned 4 [0051.613] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0051.613] lstrlenW (lpString=".7z") returned 3 [0051.613] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0051.614] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.614] lstrlenW (lpString=".dbf") returned 4 [0051.614] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0051.614] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.614] lstrlenW (lpString=".1cd") returned 4 [0051.614] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0051.614] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0051.614] lstrlenW (lpString=".jpg") returned 4 [0051.614] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0051.614] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0051.614] lstrlenW (lpString="branding.xml") returned 12 [0051.614] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0051.711] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x2eeff1c | out: lpFileSize=0x2eeff1c*=596341) returned 1 [0051.721] CloseHandle (hObject=0x1f0) returned 1 [0051.721] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml")) returned 0x2020 [0051.721] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0051.721] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0051.721] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0051.721] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0051.722] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0051.740] GetLastError () returned 0x0 [0051.740] ReadFile (in: hFile=0x1f0, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x91975, lpOverlapped=0x0) returned 1 [0051.814] WriteFile (in: hFile=0x1f4, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0x91980, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0x91980, lpOverlapped=0x0) returned 1 [0051.827] ReadFile (in: hFile=0x1f0, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x0, lpOverlapped=0x0) returned 1 [0051.827] WriteFile (in: hFile=0x1f4, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.827] SetEndOfFile (hFile=0x1f4) returned 1 [0051.828] CloseHandle (hObject=0x1f4) returned 1 [0052.239] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0052.239] SetEndOfFile (hFile=0x1f0) returned 1 [0052.245] CloseHandle (hObject=0x1f0) returned 1 [0052.245] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0052.245] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml")) returned 1 [0052.245] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0052.245] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0052.246] lstrlenW (lpString=".doc") returned 4 [0052.246] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0052.246] lstrlenW (lpString=".docx") returned 5 [0052.246] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0052.246] lstrlenW (lpString=".pdf") returned 4 [0052.246] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0052.246] lstrlenW (lpString=".xls") returned 4 [0052.246] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0052.246] lstrlenW (lpString=".xlsx") returned 5 [0052.246] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0052.246] lstrlenW (lpString=".ppt") returned 4 [0052.246] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0052.246] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0052.246] lstrlenW (lpString=".zip") returned 4 [0052.246] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0052.246] lstrlenW (lpString=".rar") returned 4 [0052.246] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0052.246] lstrlenW (lpString=".bz2") returned 4 [0052.246] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0052.246] lstrlenW (lpString=".7z") returned 3 [0052.246] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0052.246] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0052.246] lstrlenW (lpString=".dbf") returned 4 [0052.246] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0052.246] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0052.246] lstrlenW (lpString=".1cd") returned 4 [0052.246] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0052.246] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0052.246] lstrlenW (lpString=".jpg") returned 4 [0052.246] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0052.246] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0052.246] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0052.247] lstrlenW (lpString=".doc") returned 4 [0052.247] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0052.247] lstrlenW (lpString=".docx") returned 5 [0052.247] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0052.247] lstrlenW (lpString=".pdf") returned 4 [0052.247] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0052.247] lstrlenW (lpString=".xls") returned 4 [0052.247] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0052.247] lstrlenW (lpString=".xlsx") returned 5 [0052.247] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0052.247] lstrlenW (lpString=".ppt") returned 4 [0052.247] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0052.247] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0052.247] lstrlenW (lpString=".zip") returned 4 [0052.247] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0052.247] lstrlenW (lpString=".rar") returned 4 [0052.247] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0052.247] lstrlenW (lpString=".bz2") returned 4 [0052.247] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0052.247] lstrlenW (lpString=".7z") returned 3 [0052.247] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0052.247] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0052.247] lstrlenW (lpString=".dbf") returned 4 [0052.247] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0052.247] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0052.247] lstrlenW (lpString=".1cd") returned 4 [0052.247] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0052.247] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0052.247] lstrlenW (lpString=".jpg") returned 4 [0052.247] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0052.248] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0052.248] lstrlenW (lpString="Setup.xml") returned 9 [0052.248] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0052.613] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2eeff1c | out: lpFileSize=0x2eeff1c*=31094) returned 1 [0052.613] CloseHandle (hObject=0x1f4) returned 1 [0052.613] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0052.614] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0052.614] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0052.614] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0052.614] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0052.614] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0052.614] GetLastError () returned 0x0 [0052.614] ReadFile (in: hFile=0x1f4, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x7976, lpOverlapped=0x0) returned 1 [0052.617] WriteFile (in: hFile=0x198, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0x7980, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0x7980, lpOverlapped=0x0) returned 1 [0052.619] ReadFile (in: hFile=0x1f4, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x0, lpOverlapped=0x0) returned 1 [0052.619] WriteFile (in: hFile=0x198, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0xe6, lpOverlapped=0x0) returned 1 [0052.619] SetEndOfFile (hFile=0x198) returned 1 [0052.620] CloseHandle (hObject=0x198) returned 1 [0052.621] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0052.621] SetEndOfFile (hFile=0x1f4) returned 1 [0052.623] CloseHandle (hObject=0x1f4) returned 1 [0052.623] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0052.623] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0052.623] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.623] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.623] lstrlenW (lpString=".doc") returned 4 [0052.623] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0052.623] lstrlenW (lpString=".docx") returned 5 [0052.624] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0052.624] lstrlenW (lpString=".pdf") returned 4 [0052.624] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0052.624] lstrlenW (lpString=".xls") returned 4 [0052.624] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0052.624] lstrlenW (lpString=".xlsx") returned 5 [0052.624] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0052.624] lstrlenW (lpString=".ppt") returned 4 [0052.624] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0052.624] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.624] lstrlenW (lpString=".zip") returned 4 [0052.624] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0052.624] lstrlenW (lpString=".rar") returned 4 [0052.624] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0052.624] lstrlenW (lpString=".bz2") returned 4 [0052.624] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0052.624] lstrlenW (lpString=".7z") returned 3 [0052.624] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0052.624] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.624] lstrlenW (lpString=".dbf") returned 4 [0052.624] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0052.624] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.624] lstrlenW (lpString=".1cd") returned 4 [0052.624] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0052.624] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.624] lstrlenW (lpString=".jpg") returned 4 [0052.624] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0052.625] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.625] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.625] lstrlenW (lpString=".doc") returned 4 [0052.625] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0052.625] lstrlenW (lpString=".docx") returned 5 [0052.625] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0052.625] lstrlenW (lpString=".pdf") returned 4 [0052.625] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0052.625] lstrlenW (lpString=".xls") returned 4 [0052.625] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0052.625] lstrlenW (lpString=".xlsx") returned 5 [0052.625] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0052.625] lstrlenW (lpString=".ppt") returned 4 [0052.625] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0052.625] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.625] lstrlenW (lpString=".zip") returned 4 [0052.625] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0052.625] lstrlenW (lpString=".rar") returned 4 [0052.625] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0052.625] lstrlenW (lpString=".bz2") returned 4 [0052.625] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0052.625] lstrlenW (lpString=".7z") returned 3 [0052.625] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0052.625] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.625] lstrlenW (lpString=".dbf") returned 4 [0052.625] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0052.625] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.625] lstrlenW (lpString=".1cd") returned 4 [0052.626] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0052.626] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.626] lstrlenW (lpString=".jpg") returned 4 [0052.626] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0052.626] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0052.626] lstrlenW (lpString="Setup.xml") returned 9 [0052.626] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0052.626] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2eeff1c | out: lpFileSize=0x2eeff1c*=20577) returned 1 [0052.626] CloseHandle (hObject=0x1f4) returned 1 [0052.629] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0052.629] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0052.629] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0052.629] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0052.630] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0052.630] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0052.630] GetLastError () returned 0x0 [0052.630] ReadFile (in: hFile=0x1f4, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x5061, lpOverlapped=0x0) returned 1 [0052.633] WriteFile (in: hFile=0x198, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0x5070, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0x5070, lpOverlapped=0x0) returned 1 [0052.634] ReadFile (in: hFile=0x1f4, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x0, lpOverlapped=0x0) returned 1 [0052.634] WriteFile (in: hFile=0x198, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0xe6, lpOverlapped=0x0) returned 1 [0052.635] SetEndOfFile (hFile=0x198) returned 1 [0052.635] CloseHandle (hObject=0x198) returned 1 [0052.637] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0052.637] SetEndOfFile (hFile=0x1f4) returned 1 [0052.638] CloseHandle (hObject=0x1f4) returned 1 [0052.638] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0052.638] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0052.638] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.639] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.639] lstrlenW (lpString=".doc") returned 4 [0052.639] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0052.639] lstrlenW (lpString=".docx") returned 5 [0052.639] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0052.639] lstrlenW (lpString=".pdf") returned 4 [0052.639] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0052.639] lstrlenW (lpString=".xls") returned 4 [0052.639] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0052.639] lstrlenW (lpString=".xlsx") returned 5 [0052.639] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0052.639] lstrlenW (lpString=".ppt") returned 4 [0052.639] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0052.639] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.639] lstrlenW (lpString=".zip") returned 4 [0052.639] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0052.639] lstrlenW (lpString=".rar") returned 4 [0052.639] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0052.639] lstrlenW (lpString=".bz2") returned 4 [0052.639] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0052.639] lstrlenW (lpString=".7z") returned 3 [0052.639] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0052.639] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.639] lstrlenW (lpString=".dbf") returned 4 [0052.639] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0052.639] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.639] lstrlenW (lpString=".1cd") returned 4 [0052.639] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0052.639] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.639] lstrlenW (lpString=".jpg") returned 4 [0052.639] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0052.640] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.640] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.640] lstrlenW (lpString=".doc") returned 4 [0052.640] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0052.640] lstrlenW (lpString=".docx") returned 5 [0052.640] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0052.640] lstrlenW (lpString=".pdf") returned 4 [0052.640] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0052.640] lstrlenW (lpString=".xls") returned 4 [0052.640] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0052.640] lstrlenW (lpString=".xlsx") returned 5 [0052.640] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0052.640] lstrlenW (lpString=".ppt") returned 4 [0052.640] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0052.640] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.640] lstrlenW (lpString=".zip") returned 4 [0052.640] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0052.640] lstrlenW (lpString=".rar") returned 4 [0052.640] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0052.640] lstrlenW (lpString=".bz2") returned 4 [0052.640] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0052.640] lstrlenW (lpString=".7z") returned 3 [0052.640] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0052.640] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.640] lstrlenW (lpString=".dbf") returned 4 [0052.640] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0052.640] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.640] lstrlenW (lpString=".1cd") returned 4 [0052.640] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0052.640] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0052.641] lstrlenW (lpString=".jpg") returned 4 [0052.641] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0052.641] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0052.641] lstrlenW (lpString="VisiorWW.xml") returned 12 [0052.641] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0052.642] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2eeff1c | out: lpFileSize=0x2eeff1c*=8723) returned 1 [0052.642] CloseHandle (hObject=0x1f4) returned 1 [0052.642] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml")) returned 0x2020 [0052.642] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0052.642] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0052.642] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0052.642] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0052.643] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0052.643] GetLastError () returned 0x0 [0052.643] ReadFile (in: hFile=0x1f4, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x2213, lpOverlapped=0x0) returned 1 [0052.645] WriteFile (in: hFile=0x198, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0x2220, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0x2220, lpOverlapped=0x0) returned 1 [0052.646] ReadFile (in: hFile=0x1f4, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x0, lpOverlapped=0x0) returned 1 [0052.646] WriteFile (in: hFile=0x198, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.647] SetEndOfFile (hFile=0x198) returned 1 [0052.647] CloseHandle (hObject=0x198) returned 1 [0052.648] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0052.648] SetEndOfFile (hFile=0x1f4) returned 1 [0052.649] CloseHandle (hObject=0x1f4) returned 1 [0052.649] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0052.649] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml")) returned 1 [0052.651] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0052.651] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0052.651] lstrlenW (lpString=".doc") returned 4 [0052.651] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0052.651] lstrlenW (lpString=".docx") returned 5 [0052.651] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0052.651] lstrlenW (lpString=".pdf") returned 4 [0052.651] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0052.651] lstrlenW (lpString=".xls") returned 4 [0052.651] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0052.651] lstrlenW (lpString=".xlsx") returned 5 [0052.651] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0052.651] lstrlenW (lpString=".ppt") returned 4 [0052.651] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0052.652] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0052.652] lstrlenW (lpString=".zip") returned 4 [0052.652] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0052.652] lstrlenW (lpString=".rar") returned 4 [0052.652] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0052.652] lstrlenW (lpString=".bz2") returned 4 [0052.652] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0052.652] lstrlenW (lpString=".7z") returned 3 [0052.652] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0052.652] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0052.652] lstrlenW (lpString=".dbf") returned 4 [0052.652] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0052.652] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0052.652] lstrlenW (lpString=".1cd") returned 4 [0052.652] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0052.652] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0052.652] lstrlenW (lpString=".jpg") returned 4 [0052.652] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0052.652] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0052.652] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0052.652] lstrlenW (lpString=".doc") returned 4 [0052.652] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0052.652] lstrlenW (lpString=".docx") returned 5 [0052.652] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0052.652] lstrlenW (lpString=".pdf") returned 4 [0052.652] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0052.652] lstrlenW (lpString=".xls") returned 4 [0052.652] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0052.652] lstrlenW (lpString=".xlsx") returned 5 [0052.653] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0052.653] lstrlenW (lpString=".ppt") returned 4 [0052.653] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0052.653] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0052.653] lstrlenW (lpString=".zip") returned 4 [0052.653] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0052.653] lstrlenW (lpString=".rar") returned 4 [0052.653] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0052.653] lstrlenW (lpString=".bz2") returned 4 [0052.653] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0052.653] lstrlenW (lpString=".7z") returned 3 [0052.653] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0052.653] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0052.653] lstrlenW (lpString=".dbf") returned 4 [0052.653] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0052.653] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0052.653] lstrlenW (lpString=".1cd") returned 4 [0052.653] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0052.653] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0052.653] lstrlenW (lpString=".jpg") returned 4 [0052.653] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0052.653] lstrcmpiW (lpString1=".EPS", lpString2=".bmd") returned 1 [0052.653] lstrlenW (lpString="MS.EPS") returned 6 [0052.653] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0054.897] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x2eeff1c | out: lpFileSize=0x2eeff1c*=15067) returned 1 [0054.897] CloseHandle (hObject=0x1ac) returned 1 [0054.897] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps")) returned 0x20 [0054.897] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0054.897] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0054.897] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0054.897] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0054.897] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0054.897] GetLastError () returned 0x0 [0054.898] ReadFile (in: hFile=0x1ac, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x3adb, lpOverlapped=0x0) returned 1 [0056.144] WriteFile (in: hFile=0x1e8, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0x3ae0, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0x3ae0, lpOverlapped=0x0) returned 1 [0056.145] ReadFile (in: hFile=0x1ac, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x0, lpOverlapped=0x0) returned 1 [0056.148] WriteFile (in: hFile=0x1e8, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0xe0, lpOverlapped=0x0) returned 1 [0056.148] SetEndOfFile (hFile=0x1e8) returned 1 [0056.148] CloseHandle (hObject=0x1e8) returned 1 [0056.149] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0056.149] SetEndOfFile (hFile=0x1ac) returned 1 [0056.150] CloseHandle (hObject=0x1ac) returned 1 [0056.150] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0056.150] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps")) returned 1 [0056.151] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0056.151] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0056.151] lstrlenW (lpString=".doc") returned 4 [0056.151] lstrcmpiW (lpString1=".doc", lpString2=".EPS") returned -1 [0056.151] lstrlenW (lpString=".docx") returned 5 [0056.151] lstrcmpiW (lpString1=".docx", lpString2="S.EPS") returned -1 [0056.151] lstrlenW (lpString=".pdf") returned 4 [0056.151] lstrcmpiW (lpString1=".pdf", lpString2=".EPS") returned 1 [0056.151] lstrlenW (lpString=".xls") returned 4 [0056.151] lstrcmpiW (lpString1=".xls", lpString2=".EPS") returned 1 [0056.151] lstrlenW (lpString=".xlsx") returned 5 [0056.151] lstrcmpiW (lpString1=".xlsx", lpString2="S.EPS") returned -1 [0056.151] lstrlenW (lpString=".ppt") returned 4 [0056.151] lstrcmpiW (lpString1=".ppt", lpString2=".EPS") returned 1 [0056.151] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0056.151] lstrlenW (lpString=".zip") returned 4 [0056.151] lstrcmpiW (lpString1=".zip", lpString2=".EPS") returned 1 [0056.151] lstrlenW (lpString=".rar") returned 4 [0056.151] lstrcmpiW (lpString1=".rar", lpString2=".EPS") returned 1 [0056.151] lstrlenW (lpString=".bz2") returned 4 [0056.151] lstrcmpiW (lpString1=".bz2", lpString2=".EPS") returned -1 [0056.151] lstrlenW (lpString=".7z") returned 3 [0056.151] lstrcmpiW (lpString1=".7z", lpString2="EPS") returned -1 [0056.151] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0056.151] lstrlenW (lpString=".dbf") returned 4 [0056.151] lstrcmpiW (lpString1=".dbf", lpString2=".EPS") returned -1 [0056.151] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0056.151] lstrlenW (lpString=".1cd") returned 4 [0056.151] lstrcmpiW (lpString1=".1cd", lpString2=".EPS") returned -1 [0056.152] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0056.152] lstrlenW (lpString=".jpg") returned 4 [0056.152] lstrcmpiW (lpString1=".jpg", lpString2=".EPS") returned 1 [0056.152] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0056.152] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0056.152] lstrlenW (lpString=".doc") returned 4 [0056.152] lstrcmpiW (lpString1=".doc", lpString2=".EPS") returned -1 [0056.152] lstrlenW (lpString=".docx") returned 5 [0056.152] lstrcmpiW (lpString1=".docx", lpString2="S.EPS") returned -1 [0056.152] lstrlenW (lpString=".pdf") returned 4 [0056.152] lstrcmpiW (lpString1=".pdf", lpString2=".EPS") returned 1 [0056.152] lstrlenW (lpString=".xls") returned 4 [0056.152] lstrcmpiW (lpString1=".xls", lpString2=".EPS") returned 1 [0056.152] lstrlenW (lpString=".xlsx") returned 5 [0056.152] lstrcmpiW (lpString1=".xlsx", lpString2="S.EPS") returned -1 [0056.152] lstrlenW (lpString=".ppt") returned 4 [0056.152] lstrcmpiW (lpString1=".ppt", lpString2=".EPS") returned 1 [0056.152] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0056.152] lstrlenW (lpString=".zip") returned 4 [0056.152] lstrcmpiW (lpString1=".zip", lpString2=".EPS") returned 1 [0056.152] lstrlenW (lpString=".rar") returned 4 [0056.152] lstrcmpiW (lpString1=".rar", lpString2=".EPS") returned 1 [0056.152] lstrlenW (lpString=".bz2") returned 4 [0056.152] lstrcmpiW (lpString1=".bz2", lpString2=".EPS") returned -1 [0056.152] lstrlenW (lpString=".7z") returned 3 [0056.152] lstrcmpiW (lpString1=".7z", lpString2="EPS") returned -1 [0056.152] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0056.152] lstrlenW (lpString=".dbf") returned 4 [0056.152] lstrcmpiW (lpString1=".dbf", lpString2=".EPS") returned -1 [0056.152] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0056.152] lstrlenW (lpString=".1cd") returned 4 [0056.152] lstrcmpiW (lpString1=".1cd", lpString2=".EPS") returned -1 [0056.153] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0056.153] lstrlenW (lpString=".jpg") returned 4 [0056.153] lstrcmpiW (lpString1=".jpg", lpString2=".EPS") returned 1 [0056.153] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0056.153] lstrlenW (lpString="Alphabet.xml") returned 12 [0056.153] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0057.773] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2eeff1c | out: lpFileSize=0x2eeff1c*=791686) returned 1 [0057.773] CloseHandle (hObject=0x1a0) returned 1 [0057.773] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml")) returned 0x20 [0057.773] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0057.773] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0057.773] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0057.773] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0057.773] lstrlenW (lpString=".doc") returned 4 [0057.773] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0057.774] lstrlenW (lpString=".docx") returned 5 [0057.774] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0057.774] lstrlenW (lpString=".pdf") returned 4 [0057.774] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0057.774] lstrlenW (lpString=".xls") returned 4 [0057.774] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0057.774] lstrlenW (lpString=".xlsx") returned 5 [0057.774] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0057.774] lstrlenW (lpString=".ppt") returned 4 [0057.774] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0057.774] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0057.774] lstrlenW (lpString=".zip") returned 4 [0057.774] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0057.774] lstrlenW (lpString=".rar") returned 4 [0057.774] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0057.774] lstrlenW (lpString=".bz2") returned 4 [0057.775] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0057.775] lstrlenW (lpString=".7z") returned 3 [0057.775] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0057.775] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0057.775] lstrlenW (lpString=".dbf") returned 4 [0057.775] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0057.775] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0057.775] lstrlenW (lpString=".1cd") returned 4 [0057.775] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0057.775] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0057.775] lstrlenW (lpString=".jpg") returned 4 [0057.775] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0057.775] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0057.775] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0057.775] lstrlenW (lpString=".doc") returned 4 [0057.775] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0057.775] lstrlenW (lpString=".docx") returned 5 [0057.775] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0057.775] lstrlenW (lpString=".pdf") returned 4 [0057.775] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0057.775] lstrlenW (lpString=".xls") returned 4 [0057.775] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0057.775] lstrlenW (lpString=".xlsx") returned 5 [0057.775] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0057.775] lstrlenW (lpString=".ppt") returned 4 [0057.775] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0057.775] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0057.775] lstrlenW (lpString=".zip") returned 4 [0057.775] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0057.775] lstrlenW (lpString=".rar") returned 4 [0057.776] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0057.776] lstrlenW (lpString=".bz2") returned 4 [0057.776] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0057.776] lstrlenW (lpString=".7z") returned 3 [0057.776] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0057.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0057.776] lstrlenW (lpString=".dbf") returned 4 [0057.776] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0057.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0057.776] lstrlenW (lpString=".1cd") returned 4 [0057.776] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0057.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0057.776] lstrlenW (lpString=".jpg") returned 4 [0057.776] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0057.776] lstrcmpiW (lpString1=".avi", lpString2=".bmd") returned -1 [0057.776] lstrlenW (lpString="boxed-delete.avi") returned 16 [0057.777] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0058.032] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x2eeff1c | out: lpFileSize=0x2eeff1c*=31744) returned 1 [0058.032] CloseHandle (hObject=0x1d0) returned 1 [0058.032] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi")) returned 0x20 [0058.032] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0058.032] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0058.033] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0058.033] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0058.033] lstrlenW (lpString=".doc") returned 4 [0058.033] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0058.033] lstrlenW (lpString=".docx") returned 5 [0058.033] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0058.033] lstrlenW (lpString=".pdf") returned 4 [0058.033] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0058.033] lstrlenW (lpString=".xls") returned 4 [0058.033] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0058.033] lstrlenW (lpString=".xlsx") returned 5 [0058.033] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0058.033] lstrlenW (lpString=".ppt") returned 4 [0058.033] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0058.033] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0058.033] lstrlenW (lpString=".zip") returned 4 [0058.033] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0058.033] lstrlenW (lpString=".rar") returned 4 [0058.033] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0058.033] lstrlenW (lpString=".bz2") returned 4 [0058.033] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0058.033] lstrlenW (lpString=".7z") returned 3 [0058.033] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0058.033] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0058.033] lstrlenW (lpString=".dbf") returned 4 [0058.033] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0058.033] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0058.033] lstrlenW (lpString=".1cd") returned 4 [0058.034] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0058.034] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0058.034] lstrlenW (lpString=".jpg") returned 4 [0058.034] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0058.034] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0058.034] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0058.034] lstrlenW (lpString=".doc") returned 4 [0058.034] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0058.034] lstrlenW (lpString=".docx") returned 5 [0058.034] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0058.034] lstrlenW (lpString=".pdf") returned 4 [0058.034] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0058.034] lstrlenW (lpString=".xls") returned 4 [0058.034] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0058.034] lstrlenW (lpString=".xlsx") returned 5 [0058.034] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0058.034] lstrlenW (lpString=".ppt") returned 4 [0058.034] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0058.034] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0058.034] lstrlenW (lpString=".zip") returned 4 [0058.034] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0058.034] lstrlenW (lpString=".rar") returned 4 [0058.034] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0058.034] lstrlenW (lpString=".bz2") returned 4 [0058.034] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0058.034] lstrlenW (lpString=".7z") returned 3 [0058.035] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0058.035] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0058.035] lstrlenW (lpString=".dbf") returned 4 [0058.035] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0058.035] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0058.035] lstrlenW (lpString=".1cd") returned 4 [0058.035] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0058.035] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0058.035] lstrlenW (lpString=".jpg") returned 4 [0058.035] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0058.035] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0058.035] lstrlenW (lpString="auxpad.xml") returned 10 [0058.035] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0058.336] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2eeff1c | out: lpFileSize=0x2eeff1c*=212) returned 1 [0058.336] CloseHandle (hObject=0x208) returned 1 [0058.336] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml")) returned 0x20 [0058.336] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0058.336] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0058.336] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0058.337] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0058.337] lstrlenW (lpString=".doc") returned 4 [0058.337] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.337] lstrlenW (lpString=".docx") returned 5 [0058.337] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0058.337] lstrlenW (lpString=".pdf") returned 4 [0058.337] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.337] lstrlenW (lpString=".xls") returned 4 [0058.337] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.337] lstrlenW (lpString=".xlsx") returned 5 [0058.337] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0058.337] lstrlenW (lpString=".ppt") returned 4 [0058.337] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.337] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0058.337] lstrlenW (lpString=".zip") returned 4 [0058.337] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.337] lstrlenW (lpString=".rar") returned 4 [0058.337] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.337] lstrlenW (lpString=".bz2") returned 4 [0058.337] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.337] lstrlenW (lpString=".7z") returned 3 [0058.337] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.337] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0058.337] lstrlenW (lpString=".dbf") returned 4 [0058.337] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.337] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0058.337] lstrlenW (lpString=".1cd") returned 4 [0058.337] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.338] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0058.338] lstrlenW (lpString=".jpg") returned 4 [0058.338] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.338] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0058.338] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0058.338] lstrlenW (lpString=".doc") returned 4 [0058.338] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.338] lstrlenW (lpString=".docx") returned 5 [0058.338] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0058.338] lstrlenW (lpString=".pdf") returned 4 [0058.338] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.338] lstrlenW (lpString=".xls") returned 4 [0058.338] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.338] lstrlenW (lpString=".xlsx") returned 5 [0058.338] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0058.338] lstrlenW (lpString=".ppt") returned 4 [0058.338] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.339] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0058.339] lstrlenW (lpString=".zip") returned 4 [0058.339] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.339] lstrlenW (lpString=".rar") returned 4 [0058.339] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.339] lstrlenW (lpString=".bz2") returned 4 [0058.339] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.339] lstrlenW (lpString=".7z") returned 3 [0058.339] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.339] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0058.339] lstrlenW (lpString=".dbf") returned 4 [0058.339] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.339] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0058.339] lstrlenW (lpString=".1cd") returned 4 [0058.339] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.339] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0058.339] lstrlenW (lpString=".jpg") returned 4 [0058.339] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.339] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0058.339] lstrlenW (lpString="keypad.xml") returned 10 [0058.339] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0058.803] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2eeff1c | out: lpFileSize=0x2eeff1c*=727) returned 1 [0058.803] CloseHandle (hObject=0x204) returned 1 [0058.803] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml")) returned 0x20 [0058.803] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0058.803] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0058.803] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0058.803] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0058.803] lstrlenW (lpString=".doc") returned 4 [0058.804] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.804] lstrlenW (lpString=".docx") returned 5 [0058.804] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0058.804] lstrlenW (lpString=".pdf") returned 4 [0058.804] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.804] lstrlenW (lpString=".xls") returned 4 [0058.804] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.804] lstrlenW (lpString=".xlsx") returned 5 [0058.804] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0058.804] lstrlenW (lpString=".ppt") returned 4 [0058.804] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0058.804] lstrlenW (lpString=".zip") returned 4 [0058.804] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.804] lstrlenW (lpString=".rar") returned 4 [0058.804] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.804] lstrlenW (lpString=".bz2") returned 4 [0058.804] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.804] lstrlenW (lpString=".7z") returned 3 [0058.804] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0058.804] lstrlenW (lpString=".dbf") returned 4 [0058.804] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0058.804] lstrlenW (lpString=".1cd") returned 4 [0058.804] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0058.804] lstrlenW (lpString=".jpg") returned 4 [0058.804] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0058.805] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0058.805] lstrlenW (lpString=".doc") returned 4 [0058.805] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.805] lstrlenW (lpString=".docx") returned 5 [0058.805] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0058.805] lstrlenW (lpString=".pdf") returned 4 [0058.805] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.805] lstrlenW (lpString=".xls") returned 4 [0058.805] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.805] lstrlenW (lpString=".xlsx") returned 5 [0058.805] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0058.805] lstrlenW (lpString=".ppt") returned 4 [0058.805] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.805] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0058.805] lstrlenW (lpString=".zip") returned 4 [0058.805] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.805] lstrlenW (lpString=".rar") returned 4 [0058.805] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.805] lstrlenW (lpString=".bz2") returned 4 [0058.805] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.805] lstrlenW (lpString=".7z") returned 3 [0058.805] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.805] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0058.805] lstrlenW (lpString=".dbf") returned 4 [0058.805] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.805] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0058.805] lstrlenW (lpString=".1cd") returned 4 [0058.805] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.805] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0058.805] lstrlenW (lpString=".jpg") returned 4 [0058.805] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.806] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0058.806] lstrlenW (lpString="oskmenubase.xml") returned 15 [0058.806] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0058.807] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2eeff1c | out: lpFileSize=0x2eeff1c*=471) returned 1 [0058.807] CloseHandle (hObject=0x204) returned 1 [0058.807] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml")) returned 0x20 [0058.807] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0058.807] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0058.807] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0058.807] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0058.807] lstrlenW (lpString=".doc") returned 4 [0058.807] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.807] lstrlenW (lpString=".docx") returned 5 [0058.807] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0058.808] lstrlenW (lpString=".pdf") returned 4 [0058.808] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.808] lstrlenW (lpString=".xls") returned 4 [0058.808] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.808] lstrlenW (lpString=".xlsx") returned 5 [0058.808] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0058.808] lstrlenW (lpString=".ppt") returned 4 [0058.808] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.808] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0058.808] lstrlenW (lpString=".zip") returned 4 [0058.808] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.808] lstrlenW (lpString=".rar") returned 4 [0058.808] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.808] lstrlenW (lpString=".bz2") returned 4 [0058.808] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.808] lstrlenW (lpString=".7z") returned 3 [0058.808] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.808] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0058.808] lstrlenW (lpString=".dbf") returned 4 [0058.808] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.808] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0058.808] lstrlenW (lpString=".1cd") returned 4 [0058.808] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.808] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0058.808] lstrlenW (lpString=".jpg") returned 4 [0058.808] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.808] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0058.808] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0058.808] lstrlenW (lpString=".doc") returned 4 [0058.808] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.808] lstrlenW (lpString=".docx") returned 5 [0058.808] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0058.808] lstrlenW (lpString=".pdf") returned 4 [0058.809] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.809] lstrlenW (lpString=".xls") returned 4 [0058.809] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.809] lstrlenW (lpString=".xlsx") returned 5 [0058.809] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0058.809] lstrlenW (lpString=".ppt") returned 4 [0058.809] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.809] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0058.809] lstrlenW (lpString=".zip") returned 4 [0058.809] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.809] lstrlenW (lpString=".rar") returned 4 [0058.809] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.809] lstrlenW (lpString=".bz2") returned 4 [0058.809] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.809] lstrlenW (lpString=".7z") returned 3 [0058.809] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.809] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0058.809] lstrlenW (lpString=".dbf") returned 4 [0058.809] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.809] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0058.809] lstrlenW (lpString=".1cd") returned 4 [0058.809] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.809] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0058.809] lstrlenW (lpString=".jpg") returned 4 [0058.809] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.809] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0058.809] lstrlenW (lpString="oskmenu.xml") returned 11 [0058.809] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0058.810] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2eeff1c | out: lpFileSize=0x2eeff1c*=215) returned 1 [0058.810] CloseHandle (hObject=0x204) returned 1 [0058.810] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml")) returned 0x20 [0058.810] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0058.810] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0058.810] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0058.810] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0058.810] lstrlenW (lpString=".doc") returned 4 [0058.810] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.810] lstrlenW (lpString=".docx") returned 5 [0058.810] lstrcmpiW (lpString1=".docx", lpString2="u.xml") returned -1 [0058.810] lstrlenW (lpString=".pdf") returned 4 [0058.810] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.810] lstrlenW (lpString=".xls") returned 4 [0058.810] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.810] lstrlenW (lpString=".xlsx") returned 5 [0058.810] lstrcmpiW (lpString1=".xlsx", lpString2="u.xml") returned -1 [0058.810] lstrlenW (lpString=".ppt") returned 4 [0058.810] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.811] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0058.811] lstrlenW (lpString=".zip") returned 4 [0058.811] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.811] lstrlenW (lpString=".rar") returned 4 [0058.811] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.811] lstrlenW (lpString=".bz2") returned 4 [0058.811] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.811] lstrlenW (lpString=".7z") returned 3 [0058.811] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.811] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0058.811] lstrlenW (lpString=".dbf") returned 4 [0058.811] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.811] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0058.811] lstrlenW (lpString=".1cd") returned 4 [0058.811] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.811] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0058.811] lstrlenW (lpString=".jpg") returned 4 [0058.811] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.811] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0058.811] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0058.811] lstrlenW (lpString=".doc") returned 4 [0058.811] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.811] lstrlenW (lpString=".docx") returned 5 [0058.811] lstrcmpiW (lpString1=".docx", lpString2="u.xml") returned -1 [0058.811] lstrlenW (lpString=".pdf") returned 4 [0058.811] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.811] lstrlenW (lpString=".xls") returned 4 [0058.811] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.811] lstrlenW (lpString=".xlsx") returned 5 [0058.811] lstrcmpiW (lpString1=".xlsx", lpString2="u.xml") returned -1 [0058.811] lstrlenW (lpString=".ppt") returned 4 [0058.812] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.812] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0058.812] lstrlenW (lpString=".zip") returned 4 [0058.812] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.812] lstrlenW (lpString=".rar") returned 4 [0058.812] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.812] lstrlenW (lpString=".bz2") returned 4 [0058.812] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.812] lstrlenW (lpString=".7z") returned 3 [0058.812] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.812] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0058.812] lstrlenW (lpString=".dbf") returned 4 [0058.812] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.812] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0058.812] lstrlenW (lpString=".1cd") returned 4 [0058.812] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.812] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0058.812] lstrlenW (lpString=".jpg") returned 4 [0058.812] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.812] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0058.812] lstrlenW (lpString="osknumpadbase.xml") returned 17 [0058.812] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0058.813] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2eeff1c | out: lpFileSize=0x2eeff1c*=1437) returned 1 [0058.813] CloseHandle (hObject=0x204) returned 1 [0058.813] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml")) returned 0x20 [0058.813] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0058.813] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0058.813] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0058.813] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0058.813] lstrlenW (lpString=".doc") returned 4 [0058.813] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.813] lstrlenW (lpString=".docx") returned 5 [0058.813] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0058.813] lstrlenW (lpString=".pdf") returned 4 [0058.813] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.813] lstrlenW (lpString=".xls") returned 4 [0058.813] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.813] lstrlenW (lpString=".xlsx") returned 5 [0058.813] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0058.813] lstrlenW (lpString=".ppt") returned 4 [0058.813] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.813] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0058.813] lstrlenW (lpString=".zip") returned 4 [0058.813] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.813] lstrlenW (lpString=".rar") returned 4 [0058.813] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.813] lstrlenW (lpString=".bz2") returned 4 [0058.813] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.813] lstrlenW (lpString=".7z") returned 3 [0058.813] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0058.814] lstrlenW (lpString=".dbf") returned 4 [0058.814] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0058.814] lstrlenW (lpString=".1cd") returned 4 [0058.814] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0058.814] lstrlenW (lpString=".jpg") returned 4 [0058.814] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0058.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0058.814] lstrlenW (lpString=".doc") returned 4 [0058.814] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.814] lstrlenW (lpString=".docx") returned 5 [0058.814] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0058.814] lstrlenW (lpString=".pdf") returned 4 [0058.814] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.814] lstrlenW (lpString=".xls") returned 4 [0058.814] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.814] lstrlenW (lpString=".xlsx") returned 5 [0058.814] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0058.814] lstrlenW (lpString=".ppt") returned 4 [0058.814] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0058.814] lstrlenW (lpString=".zip") returned 4 [0058.814] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.814] lstrlenW (lpString=".rar") returned 4 [0058.814] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.814] lstrlenW (lpString=".bz2") returned 4 [0058.814] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.814] lstrlenW (lpString=".7z") returned 3 [0058.814] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.815] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0058.815] lstrlenW (lpString=".dbf") returned 4 [0058.815] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.815] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0058.815] lstrlenW (lpString=".1cd") returned 4 [0058.815] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.815] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0058.815] lstrlenW (lpString=".jpg") returned 4 [0058.815] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.815] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0058.815] lstrlenW (lpString="osknumpad.xml") returned 13 [0058.815] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0058.816] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2eeff1c | out: lpFileSize=0x2eeff1c*=219) returned 1 [0058.816] CloseHandle (hObject=0x204) returned 1 [0058.816] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml")) returned 0x20 [0058.816] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0058.816] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0058.816] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0058.816] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0058.816] lstrlenW (lpString=".doc") returned 4 [0058.816] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.816] lstrlenW (lpString=".docx") returned 5 [0058.816] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0058.816] lstrlenW (lpString=".pdf") returned 4 [0058.816] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.817] lstrlenW (lpString=".xls") returned 4 [0058.817] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.817] lstrlenW (lpString=".xlsx") returned 5 [0058.817] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0058.817] lstrlenW (lpString=".ppt") returned 4 [0058.817] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.817] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0058.817] lstrlenW (lpString=".zip") returned 4 [0058.817] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.817] lstrlenW (lpString=".rar") returned 4 [0058.817] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.817] lstrlenW (lpString=".bz2") returned 4 [0058.817] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.817] lstrlenW (lpString=".7z") returned 3 [0058.817] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.817] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0058.817] lstrlenW (lpString=".dbf") returned 4 [0058.817] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.817] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0058.817] lstrlenW (lpString=".1cd") returned 4 [0058.817] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.817] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0058.817] lstrlenW (lpString=".jpg") returned 4 [0058.817] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.817] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0058.817] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0058.817] lstrlenW (lpString=".doc") returned 4 [0058.817] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.818] lstrlenW (lpString=".docx") returned 5 [0058.818] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0058.818] lstrlenW (lpString=".pdf") returned 4 [0058.818] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.818] lstrlenW (lpString=".xls") returned 4 [0058.818] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.818] lstrlenW (lpString=".xlsx") returned 5 [0058.818] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0058.818] lstrlenW (lpString=".ppt") returned 4 [0058.818] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.818] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0058.818] lstrlenW (lpString=".zip") returned 4 [0058.818] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.818] lstrlenW (lpString=".rar") returned 4 [0058.818] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.818] lstrlenW (lpString=".bz2") returned 4 [0058.818] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.818] lstrlenW (lpString=".7z") returned 3 [0058.818] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.818] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0058.818] lstrlenW (lpString=".dbf") returned 4 [0058.818] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.818] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0058.818] lstrlenW (lpString=".1cd") returned 4 [0058.818] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.818] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0058.818] lstrlenW (lpString=".jpg") returned 4 [0058.818] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.819] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0058.819] lstrlenW (lpString="oskpredbase.xml") returned 15 [0058.819] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0058.820] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2eeff1c | out: lpFileSize=0x2eeff1c*=924) returned 1 [0058.820] CloseHandle (hObject=0x204) returned 1 [0058.820] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml")) returned 0x20 [0058.820] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0058.820] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0058.820] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0058.820] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0058.820] lstrlenW (lpString=".doc") returned 4 [0058.820] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.820] lstrlenW (lpString=".docx") returned 5 [0058.820] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0058.820] lstrlenW (lpString=".pdf") returned 4 [0058.820] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.820] lstrlenW (lpString=".xls") returned 4 [0058.820] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.820] lstrlenW (lpString=".xlsx") returned 5 [0058.820] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0058.820] lstrlenW (lpString=".ppt") returned 4 [0058.820] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.820] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0058.820] lstrlenW (lpString=".zip") returned 4 [0058.820] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.820] lstrlenW (lpString=".rar") returned 4 [0058.820] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.821] lstrlenW (lpString=".bz2") returned 4 [0058.821] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.821] lstrlenW (lpString=".7z") returned 3 [0058.821] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.821] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0058.821] lstrlenW (lpString=".dbf") returned 4 [0058.821] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.821] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0058.821] lstrlenW (lpString=".1cd") returned 4 [0058.821] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.821] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0058.821] lstrlenW (lpString=".jpg") returned 4 [0058.821] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.821] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0058.821] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0058.821] lstrlenW (lpString=".doc") returned 4 [0058.821] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.821] lstrlenW (lpString=".docx") returned 5 [0058.821] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0058.821] lstrlenW (lpString=".pdf") returned 4 [0058.821] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.821] lstrlenW (lpString=".xls") returned 4 [0058.821] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.821] lstrlenW (lpString=".xlsx") returned 5 [0058.821] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0058.821] lstrlenW (lpString=".ppt") returned 4 [0058.821] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.822] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0058.822] lstrlenW (lpString=".zip") returned 4 [0058.822] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.822] lstrlenW (lpString=".rar") returned 4 [0058.822] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.822] lstrlenW (lpString=".bz2") returned 4 [0058.822] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.822] lstrlenW (lpString=".7z") returned 3 [0058.822] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.822] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0058.822] lstrlenW (lpString=".dbf") returned 4 [0058.822] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.822] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0058.822] lstrlenW (lpString=".1cd") returned 4 [0058.822] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.822] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0058.822] lstrlenW (lpString=".jpg") returned 4 [0058.822] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.822] lstrcmpiW (lpString1=".xml", lpString2=".bmd") returned 1 [0058.822] lstrlenW (lpString="oskpred.xml") returned 11 [0058.822] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0058.823] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2eeff1c | out: lpFileSize=0x2eeff1c*=215) returned 1 [0058.823] CloseHandle (hObject=0x204) returned 1 [0058.823] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml")) returned 0x20 [0058.823] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0058.823] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0058.823] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml") returned 76 [0058.823] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml") returned 76 [0058.823] lstrlenW (lpString=".doc") returned 4 [0058.823] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.823] lstrlenW (lpString=".docx") returned 5 [0058.823] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0058.823] lstrlenW (lpString=".pdf") returned 4 [0058.823] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.823] lstrlenW (lpString=".xls") returned 4 [0058.823] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.823] lstrlenW (lpString=".xlsx") returned 5 [0058.823] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0058.823] lstrlenW (lpString=".ppt") returned 4 [0058.823] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.824] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml") returned 76 [0058.824] lstrlenW (lpString=".zip") returned 4 [0058.824] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.824] lstrlenW (lpString=".rar") returned 4 [0058.824] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.824] lstrlenW (lpString=".bz2") returned 4 [0058.824] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.824] lstrlenW (lpString=".7z") returned 3 [0058.824] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.824] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml") returned 76 [0058.824] lstrlenW (lpString=".dbf") returned 4 [0058.824] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.831] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruklm.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruklm.dat.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0 [0058.832] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruksh.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruksh.dat.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0 [0058.832] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0 [0058.833] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0 [0058.864] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\ado210.chm"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\ado210.chm.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 1 [0058.867] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\ado210.chm.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0058.867] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefc6c | out: lpNewFilePointer=0x0) returned 1 [0058.868] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefc2c | out: lpNewFilePointer=0x0) returned 1 [0058.868] ReadFile (in: hFile=0x204, lpBuffer=0x3960058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2eefc38, lpOverlapped=0x0 | out: lpBuffer=0x3960058*, lpNumberOfBytesRead=0x2eefc38*=0x40000, lpOverlapped=0x0) returned 1 [0058.882] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x88bff, lpNewFilePointer=0x0, dwMoveMethod=0x2eefc2c | out: lpNewFilePointer=0x0) returned 1 [0058.882] ReadFile (in: hFile=0x204, lpBuffer=0x39a0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2eefc38, lpOverlapped=0x0 | out: lpBuffer=0x39a0058*, lpNumberOfBytesRead=0x2eefc38*=0x40000, lpOverlapped=0x0) returned 1 [0058.888] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2eefc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0058.888] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x15a3ff, lpNewFilePointer=0x0, dwMoveMethod=0x2eefc2c | out: lpNewFilePointer=0x0) returned 1 [0058.889] ReadFile (in: hFile=0x204, lpBuffer=0x39e0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2eefc38, lpOverlapped=0x0 | out: lpBuffer=0x39e0058*, lpNumberOfBytesRead=0x2eefc38*=0x40000, lpOverlapped=0x0) returned 1 [0058.905] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0058.905] WriteFile (in: hFile=0x204, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x2eefcb0, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0059.176] SetEndOfFile (hFile=0x204) returned 1 [0059.177] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x40d20a8 [0059.468] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefc7c | out: lpNewFilePointer=0x0) returned 1 [0059.468] WriteFile (in: hFile=0x204, lpBuffer=0x40d20a8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2eefc88, lpOverlapped=0x0 | out: lpBuffer=0x40d20a8*, lpNumberOfBytesWritten=0x2eefc88*=0x40000, lpOverlapped=0x0) returned 1 [0059.470] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x88bff, lpNewFilePointer=0x0, dwMoveMethod=0x2eefc7c | out: lpNewFilePointer=0x0) returned 1 [0059.470] WriteFile (in: hFile=0x204, lpBuffer=0x40d20a8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2eefc88, lpOverlapped=0x0 | out: lpBuffer=0x40d20a8*, lpNumberOfBytesWritten=0x2eefc88*=0x40000, lpOverlapped=0x0) returned 1 [0059.473] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x15a3ff, lpNewFilePointer=0x0, dwMoveMethod=0x2eefc7c | out: lpNewFilePointer=0x0) returned 1 [0059.473] WriteFile (in: hFile=0x204, lpBuffer=0x40d20a8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2eefc88, lpOverlapped=0x0 | out: lpBuffer=0x40d20a8*, lpNumberOfBytesWritten=0x2eefc88*=0x40000, lpOverlapped=0x0) returned 1 [0059.476] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x40d20a8 | out: hHeap=0x5f0000) returned 1 [0059.477] CloseHandle (hObject=0x204) returned 1 [0060.726] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0060.726] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0060.726] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0060.726] lstrlenW (lpString=".doc") returned 4 [0060.726] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0060.726] lstrlenW (lpString=".docx") returned 5 [0060.726] lstrcmpiW (lpString1=".docx", lpString2="0.CHM") returned -1 [0060.726] lstrlenW (lpString=".pdf") returned 4 [0060.726] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0060.726] lstrlenW (lpString=".xls") returned 4 [0060.726] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0060.726] lstrlenW (lpString=".xlsx") returned 5 [0060.726] lstrcmpiW (lpString1=".xlsx", lpString2="0.CHM") returned -1 [0060.726] lstrlenW (lpString=".ppt") returned 4 [0060.727] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0060.727] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0060.727] lstrlenW (lpString=".zip") returned 4 [0060.727] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0060.727] lstrlenW (lpString=".rar") returned 4 [0060.727] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0060.727] lstrlenW (lpString=".bz2") returned 4 [0060.727] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0060.727] lstrlenW (lpString=".7z") returned 3 [0060.727] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0060.727] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0060.727] lstrlenW (lpString=".dbf") returned 4 [0060.727] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0060.727] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0060.727] lstrlenW (lpString=".1cd") returned 4 [0060.727] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0060.727] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0060.727] lstrlenW (lpString=".jpg") returned 4 [0060.727] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0060.727] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0060.727] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0060.727] lstrlenW (lpString=".doc") returned 4 [0060.727] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0060.727] lstrlenW (lpString=".docx") returned 5 [0060.728] lstrcmpiW (lpString1=".docx", lpString2="0.CHM") returned -1 [0060.728] lstrlenW (lpString=".pdf") returned 4 [0060.728] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0060.728] lstrlenW (lpString=".xls") returned 4 [0060.728] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0060.728] lstrlenW (lpString=".xlsx") returned 5 [0060.728] lstrcmpiW (lpString1=".xlsx", lpString2="0.CHM") returned -1 [0060.728] lstrlenW (lpString=".ppt") returned 4 [0060.728] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0060.728] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0060.728] lstrlenW (lpString=".zip") returned 4 [0060.728] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0060.728] lstrlenW (lpString=".rar") returned 4 [0060.728] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0060.728] lstrlenW (lpString=".bz2") returned 4 [0060.728] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0060.728] lstrlenW (lpString=".7z") returned 3 [0060.728] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0060.728] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0060.728] lstrlenW (lpString=".dbf") returned 4 [0060.728] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0060.728] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0060.728] lstrlenW (lpString=".1cd") returned 4 [0060.728] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0060.728] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0060.728] lstrlenW (lpString=".jpg") returned 4 [0060.728] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0060.729] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0060.729] lstrlenW (lpString="OfficeMUI.XML") returned 13 [0060.729] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0061.316] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x2eeff1c | out: lpFileSize=0x2eeff1c*=5557) returned 1 [0061.316] CloseHandle (hObject=0x184) returned 1 [0061.316] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml")) returned 0x20 [0061.316] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0061.317] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0061.317] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0061.317] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0061.317] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0061.318] GetLastError () returned 0x0 [0061.318] ReadFile (in: hFile=0x184, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x15b5, lpOverlapped=0x0) returned 1 [0061.349] WriteFile (in: hFile=0x208, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0x15c0, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0x15c0, lpOverlapped=0x0) returned 1 [0061.350] ReadFile (in: hFile=0x184, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x0, lpOverlapped=0x0) returned 1 [0061.351] WriteFile (in: hFile=0x208, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0xee, lpOverlapped=0x0) returned 1 [0061.351] SetEndOfFile (hFile=0x208) returned 1 [0061.351] CloseHandle (hObject=0x208) returned 1 [0061.356] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0061.356] SetEndOfFile (hFile=0x184) returned 1 [0061.357] CloseHandle (hObject=0x184) returned 1 [0061.358] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0061.358] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml")) returned 1 [0061.358] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0061.358] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0061.358] lstrlenW (lpString=".doc") returned 4 [0061.358] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0061.358] lstrlenW (lpString=".docx") returned 5 [0061.359] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0061.359] lstrlenW (lpString=".pdf") returned 4 [0061.359] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0061.359] lstrlenW (lpString=".xls") returned 4 [0061.359] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0061.359] lstrlenW (lpString=".xlsx") returned 5 [0061.359] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0061.359] lstrlenW (lpString=".ppt") returned 4 [0061.359] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0061.359] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0061.359] lstrlenW (lpString=".zip") returned 4 [0061.359] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0061.359] lstrlenW (lpString=".rar") returned 4 [0061.359] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0061.359] lstrlenW (lpString=".bz2") returned 4 [0061.359] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0061.359] lstrlenW (lpString=".7z") returned 3 [0061.359] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0061.359] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0061.359] lstrlenW (lpString=".dbf") returned 4 [0061.359] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0061.359] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0061.359] lstrlenW (lpString=".1cd") returned 4 [0061.359] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0061.359] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0061.359] lstrlenW (lpString=".jpg") returned 4 [0061.360] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0061.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0061.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0061.360] lstrlenW (lpString=".doc") returned 4 [0061.360] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0061.360] lstrlenW (lpString=".docx") returned 5 [0061.360] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0061.360] lstrlenW (lpString=".pdf") returned 4 [0061.360] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0061.360] lstrlenW (lpString=".xls") returned 4 [0061.360] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0061.360] lstrlenW (lpString=".xlsx") returned 5 [0061.360] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0061.360] lstrlenW (lpString=".ppt") returned 4 [0061.360] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0061.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0061.360] lstrlenW (lpString=".zip") returned 4 [0061.360] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0061.360] lstrlenW (lpString=".rar") returned 4 [0061.360] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0061.360] lstrlenW (lpString=".bz2") returned 4 [0061.360] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0061.360] lstrlenW (lpString=".7z") returned 3 [0061.360] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0061.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0061.360] lstrlenW (lpString=".dbf") returned 4 [0061.360] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0061.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0061.361] lstrlenW (lpString=".1cd") returned 4 [0061.361] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0061.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0061.361] lstrlenW (lpString=".jpg") returned 4 [0061.361] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0061.361] lstrcmpiW (lpString1=".CHM", lpString2=".bmd") returned 1 [0061.361] lstrlenW (lpString="PSCONFIG.CHM") returned 12 [0061.361] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0061.362] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x2eeff1c | out: lpFileSize=0x2eeff1c*=37689) returned 1 [0061.362] CloseHandle (hObject=0x184) returned 1 [0061.362] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm")) returned 0x20 [0061.362] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0061.363] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0061.363] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0061.363] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0061.363] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0061.363] GetLastError () returned 0x0 [0061.363] ReadFile (in: hFile=0x184, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x9339, lpOverlapped=0x0) returned 1 [0061.365] WriteFile (in: hFile=0x208, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0x9340, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0x9340, lpOverlapped=0x0) returned 1 [0061.367] ReadFile (in: hFile=0x184, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x0, lpOverlapped=0x0) returned 1 [0061.367] WriteFile (in: hFile=0x208, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0xec, lpOverlapped=0x0) returned 1 [0061.367] SetEndOfFile (hFile=0x208) returned 1 [0061.367] CloseHandle (hObject=0x208) returned 1 [0061.373] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0061.373] SetEndOfFile (hFile=0x184) returned 1 [0061.374] CloseHandle (hObject=0x184) returned 1 [0061.374] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0061.375] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm")) returned 1 [0061.375] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0061.375] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0061.375] lstrlenW (lpString=".doc") returned 4 [0061.375] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0061.375] lstrlenW (lpString=".docx") returned 5 [0061.375] lstrcmpiW (lpString1=".docx", lpString2="G.CHM") returned -1 [0061.375] lstrlenW (lpString=".pdf") returned 4 [0061.375] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0061.376] lstrlenW (lpString=".xls") returned 4 [0061.376] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0061.376] lstrlenW (lpString=".xlsx") returned 5 [0061.376] lstrcmpiW (lpString1=".xlsx", lpString2="G.CHM") returned -1 [0061.376] lstrlenW (lpString=".ppt") returned 4 [0061.376] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0061.376] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0061.376] lstrlenW (lpString=".zip") returned 4 [0061.376] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0061.376] lstrlenW (lpString=".rar") returned 4 [0061.376] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0061.376] lstrlenW (lpString=".bz2") returned 4 [0061.376] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0061.376] lstrlenW (lpString=".7z") returned 3 [0061.376] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0061.376] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0061.376] lstrlenW (lpString=".dbf") returned 4 [0061.376] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0061.376] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0061.376] lstrlenW (lpString=".1cd") returned 4 [0061.376] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0061.376] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0061.376] lstrlenW (lpString=".jpg") returned 4 [0061.376] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0061.376] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0061.377] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0061.377] lstrlenW (lpString=".doc") returned 4 [0061.377] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0061.377] lstrlenW (lpString=".docx") returned 5 [0061.377] lstrcmpiW (lpString1=".docx", lpString2="G.CHM") returned -1 [0061.377] lstrlenW (lpString=".pdf") returned 4 [0061.377] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0061.377] lstrlenW (lpString=".xls") returned 4 [0061.377] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0061.377] lstrlenW (lpString=".xlsx") returned 5 [0061.377] lstrcmpiW (lpString1=".xlsx", lpString2="G.CHM") returned -1 [0061.377] lstrlenW (lpString=".ppt") returned 4 [0061.377] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0061.377] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0061.377] lstrlenW (lpString=".zip") returned 4 [0061.377] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0061.377] lstrlenW (lpString=".rar") returned 4 [0061.377] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0061.377] lstrlenW (lpString=".bz2") returned 4 [0061.377] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0061.377] lstrlenW (lpString=".7z") returned 3 [0061.377] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0061.377] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0061.377] lstrlenW (lpString=".dbf") returned 4 [0061.377] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0061.377] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0061.377] lstrlenW (lpString=".1cd") returned 4 [0061.378] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0061.378] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0061.378] lstrlenW (lpString=".jpg") returned 4 [0061.378] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0061.378] lstrcmpiW (lpString1=".CHM", lpString2=".bmd") returned 1 [0061.378] lstrlenW (lpString="PSS10O.CHM") returned 10 [0061.378] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0061.378] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x2eeff1c | out: lpFileSize=0x2eeff1c*=26929) returned 1 [0061.378] CloseHandle (hObject=0x184) returned 1 [0061.379] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm")) returned 0x20 [0061.379] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0061.379] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0061.379] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0061.379] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0061.379] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0061.379] GetLastError () returned 0x0 [0061.379] ReadFile (in: hFile=0x184, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x6931, lpOverlapped=0x0) returned 1 [0062.083] WriteFile (in: hFile=0x208, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0x6940, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0x6940, lpOverlapped=0x0) returned 1 [0062.085] ReadFile (in: hFile=0x184, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x0, lpOverlapped=0x0) returned 1 [0062.085] WriteFile (in: hFile=0x208, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0xe8, lpOverlapped=0x0) returned 1 [0062.085] SetEndOfFile (hFile=0x208) returned 1 [0062.085] CloseHandle (hObject=0x208) returned 1 [0062.086] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0062.086] SetEndOfFile (hFile=0x184) returned 1 [0062.087] CloseHandle (hObject=0x184) returned 1 [0062.087] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0062.088] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm")) returned 1 [0062.088] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0062.088] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0062.088] lstrlenW (lpString=".doc") returned 4 [0062.088] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0062.088] lstrlenW (lpString=".docx") returned 5 [0062.088] lstrcmpiW (lpString1=".docx", lpString2="O.CHM") returned -1 [0062.088] lstrlenW (lpString=".pdf") returned 4 [0062.088] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0062.088] lstrlenW (lpString=".xls") returned 4 [0062.088] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0062.088] lstrlenW (lpString=".xlsx") returned 5 [0062.088] lstrcmpiW (lpString1=".xlsx", lpString2="O.CHM") returned -1 [0062.088] lstrlenW (lpString=".ppt") returned 4 [0062.088] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0062.088] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0062.088] lstrlenW (lpString=".zip") returned 4 [0062.088] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0062.088] lstrlenW (lpString=".rar") returned 4 [0062.089] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0062.089] lstrlenW (lpString=".bz2") returned 4 [0062.089] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0062.089] lstrlenW (lpString=".7z") returned 3 [0062.089] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0062.089] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0062.089] lstrlenW (lpString=".dbf") returned 4 [0062.089] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0062.089] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0062.089] lstrlenW (lpString=".1cd") returned 4 [0062.089] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0062.089] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0062.089] lstrlenW (lpString=".jpg") returned 4 [0062.089] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0062.089] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0062.089] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0062.089] lstrlenW (lpString=".doc") returned 4 [0062.089] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0062.089] lstrlenW (lpString=".docx") returned 5 [0062.089] lstrcmpiW (lpString1=".docx", lpString2="O.CHM") returned -1 [0062.089] lstrlenW (lpString=".pdf") returned 4 [0062.089] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0062.089] lstrlenW (lpString=".xls") returned 4 [0062.089] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0062.089] lstrlenW (lpString=".xlsx") returned 5 [0062.089] lstrcmpiW (lpString1=".xlsx", lpString2="O.CHM") returned -1 [0062.089] lstrlenW (lpString=".ppt") returned 4 [0062.089] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0062.089] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0062.089] lstrlenW (lpString=".zip") returned 4 [0062.089] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0062.090] lstrlenW (lpString=".rar") returned 4 [0062.090] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0062.090] lstrlenW (lpString=".bz2") returned 4 [0062.090] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0062.090] lstrlenW (lpString=".7z") returned 3 [0062.090] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0062.090] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0062.090] lstrlenW (lpString=".dbf") returned 4 [0062.090] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0062.090] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0062.090] lstrlenW (lpString=".1cd") returned 4 [0062.090] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0062.090] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0062.090] lstrlenW (lpString=".jpg") returned 4 [0062.090] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0062.125] lstrcmpiW (lpString1=".CHM", lpString2=".bmd") returned 1 [0062.125] lstrlenW (lpString="SETUP.CHM") returned 9 [0062.125] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0062.128] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x2eeff1c | out: lpFileSize=0x2eeff1c*=67190) returned 1 [0062.128] CloseHandle (hObject=0x218) returned 1 [0062.128] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm")) returned 0x20 [0062.129] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0062.129] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0062.129] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0062.129] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0062.129] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0062.130] GetLastError () returned 0x0 [0062.130] ReadFile (in: hFile=0x218, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x10676, lpOverlapped=0x0) returned 1 [0062.134] WriteFile (in: hFile=0x198, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0x10680, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0x10680, lpOverlapped=0x0) returned 1 [0062.136] ReadFile (in: hFile=0x218, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x0, lpOverlapped=0x0) returned 1 [0062.136] WriteFile (in: hFile=0x198, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0xe6, lpOverlapped=0x0) returned 1 [0062.136] SetEndOfFile (hFile=0x198) returned 1 [0062.137] CloseHandle (hObject=0x198) returned 1 [0062.138] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0062.138] SetEndOfFile (hFile=0x218) returned 1 [0062.140] CloseHandle (hObject=0x218) returned 1 [0062.140] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0062.141] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm")) returned 1 [0062.141] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0062.141] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0062.141] lstrlenW (lpString=".doc") returned 4 [0062.141] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0062.141] lstrlenW (lpString=".docx") returned 5 [0062.141] lstrcmpiW (lpString1=".docx", lpString2="P.CHM") returned -1 [0062.141] lstrlenW (lpString=".pdf") returned 4 [0062.141] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0062.141] lstrlenW (lpString=".xls") returned 4 [0062.141] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0062.141] lstrlenW (lpString=".xlsx") returned 5 [0062.141] lstrcmpiW (lpString1=".xlsx", lpString2="P.CHM") returned -1 [0062.141] lstrlenW (lpString=".ppt") returned 4 [0062.141] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0062.141] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0062.141] lstrlenW (lpString=".zip") returned 4 [0062.142] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0062.142] lstrlenW (lpString=".rar") returned 4 [0062.142] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0062.142] lstrlenW (lpString=".bz2") returned 4 [0062.142] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0062.142] lstrlenW (lpString=".7z") returned 3 [0062.142] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0062.142] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0062.142] lstrlenW (lpString=".dbf") returned 4 [0062.142] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0062.142] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0062.142] lstrlenW (lpString=".1cd") returned 4 [0062.142] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0062.142] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0062.142] lstrlenW (lpString=".jpg") returned 4 [0062.142] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0062.142] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0062.142] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0062.142] lstrlenW (lpString=".doc") returned 4 [0062.142] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0062.142] lstrlenW (lpString=".docx") returned 5 [0062.142] lstrcmpiW (lpString1=".docx", lpString2="P.CHM") returned -1 [0062.142] lstrlenW (lpString=".pdf") returned 4 [0062.142] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0062.142] lstrlenW (lpString=".xls") returned 4 [0062.143] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0062.143] lstrlenW (lpString=".xlsx") returned 5 [0062.143] lstrcmpiW (lpString1=".xlsx", lpString2="P.CHM") returned -1 [0062.143] lstrlenW (lpString=".ppt") returned 4 [0062.143] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0062.143] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0062.143] lstrlenW (lpString=".zip") returned 4 [0062.143] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0062.143] lstrlenW (lpString=".rar") returned 4 [0062.143] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0062.143] lstrlenW (lpString=".bz2") returned 4 [0062.143] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0062.143] lstrlenW (lpString=".7z") returned 3 [0062.143] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0062.143] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0062.143] lstrlenW (lpString=".dbf") returned 4 [0062.143] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0062.143] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0062.143] lstrlenW (lpString=".1cd") returned 4 [0062.143] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0062.143] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0062.143] lstrlenW (lpString=".jpg") returned 4 [0062.143] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0062.144] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0062.144] lstrlenW (lpString="SETUP.XML") returned 9 [0062.144] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0062.203] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x2eeff1c | out: lpFileSize=0x2eeff1c*=2362) returned 1 [0062.203] CloseHandle (hObject=0x218) returned 1 [0062.203] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml")) returned 0x20 [0062.203] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0062.206] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0062.206] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0062.216] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0062.216] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0062.216] GetLastError () returned 0x0 [0062.216] ReadFile (in: hFile=0x21c, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x93a, lpOverlapped=0x0) returned 1 [0062.288] WriteFile (in: hFile=0x1ec, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0x940, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0x940, lpOverlapped=0x0) returned 1 [0062.297] ReadFile (in: hFile=0x21c, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x0, lpOverlapped=0x0) returned 1 [0062.297] WriteFile (in: hFile=0x1ec, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0xe6, lpOverlapped=0x0) returned 1 [0062.297] SetEndOfFile (hFile=0x1ec) returned 1 [0062.297] CloseHandle (hObject=0x1ec) returned 1 [0062.298] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0062.298] SetEndOfFile (hFile=0x21c) returned 1 [0062.299] CloseHandle (hObject=0x21c) returned 1 [0062.299] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0062.299] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml")) returned 1 [0062.300] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0062.300] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0062.300] lstrlenW (lpString=".doc") returned 4 [0062.300] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0062.300] lstrlenW (lpString=".docx") returned 5 [0062.300] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0062.300] lstrlenW (lpString=".pdf") returned 4 [0062.300] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0062.300] lstrlenW (lpString=".xls") returned 4 [0062.300] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0062.300] lstrlenW (lpString=".xlsx") returned 5 [0062.300] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0062.300] lstrlenW (lpString=".ppt") returned 4 [0062.300] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0062.300] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0062.300] lstrlenW (lpString=".zip") returned 4 [0062.300] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0062.300] lstrlenW (lpString=".rar") returned 4 [0062.300] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0062.300] lstrlenW (lpString=".bz2") returned 4 [0062.300] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0062.301] lstrlenW (lpString=".7z") returned 3 [0062.301] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0062.301] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0062.301] lstrlenW (lpString=".dbf") returned 4 [0062.301] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0062.301] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0062.301] lstrlenW (lpString=".1cd") returned 4 [0062.301] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0062.301] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0062.301] lstrlenW (lpString=".jpg") returned 4 [0062.301] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0062.301] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0062.301] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0062.301] lstrlenW (lpString=".doc") returned 4 [0062.301] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0062.301] lstrlenW (lpString=".docx") returned 5 [0062.301] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0062.301] lstrlenW (lpString=".pdf") returned 4 [0062.301] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0062.301] lstrlenW (lpString=".xls") returned 4 [0062.301] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0062.301] lstrlenW (lpString=".xlsx") returned 5 [0062.301] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0062.301] lstrlenW (lpString=".ppt") returned 4 [0062.301] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0062.301] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0062.301] lstrlenW (lpString=".zip") returned 4 [0062.301] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0062.301] lstrlenW (lpString=".rar") returned 4 [0062.301] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0062.301] lstrlenW (lpString=".bz2") returned 4 [0062.301] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0062.302] lstrlenW (lpString=".7z") returned 3 [0062.302] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0062.302] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0062.302] lstrlenW (lpString=".dbf") returned 4 [0062.302] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0062.302] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0062.302] lstrlenW (lpString=".1cd") returned 4 [0062.302] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0062.302] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0062.302] lstrlenW (lpString=".jpg") returned 4 [0062.302] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0062.302] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0062.302] lstrlenW (lpString="PowerPointMUI.XML") returned 17 [0062.302] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0062.302] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x2eeff1c | out: lpFileSize=0x2eeff1c*=1450) returned 1 [0062.303] CloseHandle (hObject=0x21c) returned 1 [0062.303] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml")) returned 0x20 [0062.303] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0062.303] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0062.303] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0062.303] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0062.303] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0062.446] GetLastError () returned 0x0 [0062.446] ReadFile (in: hFile=0x21c, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x5aa, lpOverlapped=0x0) returned 1 [0062.550] WriteFile (in: hFile=0x198, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0062.551] ReadFile (in: hFile=0x21c, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x0, lpOverlapped=0x0) returned 1 [0062.551] WriteFile (in: hFile=0x198, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0xf6, lpOverlapped=0x0) returned 1 [0062.551] SetEndOfFile (hFile=0x198) returned 1 [0062.551] CloseHandle (hObject=0x198) returned 1 [0062.553] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0062.553] SetEndOfFile (hFile=0x21c) returned 1 [0062.553] CloseHandle (hObject=0x21c) returned 1 [0062.554] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0062.554] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml")) returned 1 [0062.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0062.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0062.554] lstrlenW (lpString=".doc") returned 4 [0062.554] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0062.554] lstrlenW (lpString=".docx") returned 5 [0062.554] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0062.554] lstrlenW (lpString=".pdf") returned 4 [0062.554] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0062.554] lstrlenW (lpString=".xls") returned 4 [0062.554] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0062.554] lstrlenW (lpString=".xlsx") returned 5 [0062.554] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0062.554] lstrlenW (lpString=".ppt") returned 4 [0062.554] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0062.555] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0062.555] lstrlenW (lpString=".zip") returned 4 [0062.555] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0062.555] lstrlenW (lpString=".rar") returned 4 [0062.555] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0062.555] lstrlenW (lpString=".bz2") returned 4 [0062.555] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0062.555] lstrlenW (lpString=".7z") returned 3 [0062.555] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0062.555] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0062.555] lstrlenW (lpString=".dbf") returned 4 [0062.555] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0062.555] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0062.555] lstrlenW (lpString=".1cd") returned 4 [0062.555] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0062.555] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0062.555] lstrlenW (lpString=".jpg") returned 4 [0062.555] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0062.555] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0062.555] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0062.555] lstrlenW (lpString=".doc") returned 4 [0062.555] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0062.555] lstrlenW (lpString=".docx") returned 5 [0062.555] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0062.555] lstrlenW (lpString=".pdf") returned 4 [0062.555] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0062.555] lstrlenW (lpString=".xls") returned 4 [0062.555] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0062.555] lstrlenW (lpString=".xlsx") returned 5 [0062.555] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0062.555] lstrlenW (lpString=".ppt") returned 4 [0062.556] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0062.556] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0062.556] lstrlenW (lpString=".zip") returned 4 [0062.556] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0062.556] lstrlenW (lpString=".rar") returned 4 [0062.556] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0062.556] lstrlenW (lpString=".bz2") returned 4 [0062.556] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0062.556] lstrlenW (lpString=".7z") returned 3 [0062.556] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0062.556] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0062.556] lstrlenW (lpString=".dbf") returned 4 [0062.556] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0062.556] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0062.556] lstrlenW (lpString=".1cd") returned 4 [0062.556] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0062.556] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0062.556] lstrlenW (lpString=".jpg") returned 4 [0062.556] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0062.556] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0062.556] lstrlenW (lpString="Proof.XML") returned 9 [0062.556] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0062.722] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x2eeff1c | out: lpFileSize=0x2eeff1c*=1457) returned 1 [0062.722] CloseHandle (hObject=0x21c) returned 1 [0062.722] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml")) returned 0x20 [0062.722] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0062.722] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0062.723] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0062.723] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0062.723] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0062.723] GetLastError () returned 0x0 [0062.723] ReadFile (in: hFile=0x21c, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x5b1, lpOverlapped=0x0) returned 1 [0062.798] WriteFile (in: hFile=0x198, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0x5c0, lpOverlapped=0x0) returned 1 [0062.800] ReadFile (in: hFile=0x21c, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x0, lpOverlapped=0x0) returned 1 [0062.800] WriteFile (in: hFile=0x198, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0xe6, lpOverlapped=0x0) returned 1 [0062.800] SetEndOfFile (hFile=0x198) returned 1 [0062.800] CloseHandle (hObject=0x198) returned 1 [0062.801] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0062.801] SetEndOfFile (hFile=0x21c) returned 1 [0062.802] CloseHandle (hObject=0x21c) returned 1 [0062.802] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0062.803] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml")) returned 1 [0062.803] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0062.803] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0062.803] lstrlenW (lpString=".doc") returned 4 [0062.803] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0062.803] lstrlenW (lpString=".docx") returned 5 [0062.803] lstrcmpiW (lpString1=".docx", lpString2="f.XML") returned -1 [0062.803] lstrlenW (lpString=".pdf") returned 4 [0062.803] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0062.803] lstrlenW (lpString=".xls") returned 4 [0062.803] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0062.803] lstrlenW (lpString=".xlsx") returned 5 [0062.803] lstrcmpiW (lpString1=".xlsx", lpString2="f.XML") returned -1 [0062.803] lstrlenW (lpString=".ppt") returned 4 [0062.803] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0062.803] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0062.803] lstrlenW (lpString=".zip") returned 4 [0062.803] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0062.803] lstrlenW (lpString=".rar") returned 4 [0062.803] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0062.803] lstrlenW (lpString=".bz2") returned 4 [0062.803] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0062.803] lstrlenW (lpString=".7z") returned 3 [0062.803] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0062.803] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0062.803] lstrlenW (lpString=".dbf") returned 4 [0062.803] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0062.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0062.804] lstrlenW (lpString=".1cd") returned 4 [0062.804] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0062.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0062.804] lstrlenW (lpString=".jpg") returned 4 [0062.804] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0062.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0062.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0062.804] lstrlenW (lpString=".doc") returned 4 [0062.804] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0062.804] lstrlenW (lpString=".docx") returned 5 [0062.804] lstrcmpiW (lpString1=".docx", lpString2="f.XML") returned -1 [0062.804] lstrlenW (lpString=".pdf") returned 4 [0062.804] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0062.804] lstrlenW (lpString=".xls") returned 4 [0062.804] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0062.804] lstrlenW (lpString=".xlsx") returned 5 [0062.804] lstrcmpiW (lpString1=".xlsx", lpString2="f.XML") returned -1 [0062.804] lstrlenW (lpString=".ppt") returned 4 [0062.804] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0062.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0062.804] lstrlenW (lpString=".zip") returned 4 [0062.804] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0062.804] lstrlenW (lpString=".rar") returned 4 [0062.804] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0062.804] lstrlenW (lpString=".bz2") returned 4 [0062.804] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0062.804] lstrlenW (lpString=".7z") returned 3 [0062.804] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0062.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0062.804] lstrlenW (lpString=".dbf") returned 4 [0062.804] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0062.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0062.804] lstrlenW (lpString=".1cd") returned 4 [0062.805] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0062.805] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0062.805] lstrlenW (lpString=".jpg") returned 4 [0062.805] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0062.805] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0062.805] lstrlenW (lpString="SETUP.XML") returned 9 [0062.805] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0062.824] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x2eeff1c | out: lpFileSize=0x2eeff1c*=5884) returned 1 [0062.824] CloseHandle (hObject=0x218) returned 1 [0062.824] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml")) returned 0x20 [0062.824] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0062.824] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0062.825] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0062.825] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0062.825] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0062.849] GetLastError () returned 0x0 [0062.849] ReadFile (in: hFile=0x218, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x16fc, lpOverlapped=0x0) returned 1 [0062.894] WriteFile (in: hFile=0x1ac, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0x1700, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0x1700, lpOverlapped=0x0) returned 1 [0062.896] ReadFile (in: hFile=0x218, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x0, lpOverlapped=0x0) returned 1 [0062.896] WriteFile (in: hFile=0x1ac, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0xe6, lpOverlapped=0x0) returned 1 [0062.896] SetEndOfFile (hFile=0x1ac) returned 1 [0062.896] CloseHandle (hObject=0x1ac) returned 1 [0062.896] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0062.896] SetEndOfFile (hFile=0x218) returned 1 [0062.897] CloseHandle (hObject=0x218) returned 1 [0062.897] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0062.897] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml")) returned 1 [0062.898] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0062.898] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0062.898] lstrlenW (lpString=".doc") returned 4 [0062.898] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0062.898] lstrlenW (lpString=".docx") returned 5 [0062.898] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0062.898] lstrlenW (lpString=".pdf") returned 4 [0062.898] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0062.898] lstrlenW (lpString=".xls") returned 4 [0062.898] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0062.898] lstrlenW (lpString=".xlsx") returned 5 [0062.898] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0062.898] lstrlenW (lpString=".ppt") returned 4 [0062.898] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0062.898] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0062.898] lstrlenW (lpString=".zip") returned 4 [0062.898] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0062.898] lstrlenW (lpString=".rar") returned 4 [0062.898] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0062.898] lstrlenW (lpString=".bz2") returned 4 [0062.898] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0062.898] lstrlenW (lpString=".7z") returned 3 [0062.898] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0062.898] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0062.898] lstrlenW (lpString=".dbf") returned 4 [0062.898] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0062.898] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0062.898] lstrlenW (lpString=".1cd") returned 4 [0062.898] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0062.898] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0062.899] lstrlenW (lpString=".jpg") returned 4 [0062.899] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0062.899] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0062.899] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0062.899] lstrlenW (lpString=".doc") returned 4 [0062.899] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0062.899] lstrlenW (lpString=".docx") returned 5 [0062.899] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0062.899] lstrlenW (lpString=".pdf") returned 4 [0062.899] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0062.899] lstrlenW (lpString=".xls") returned 4 [0062.899] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0062.899] lstrlenW (lpString=".xlsx") returned 5 [0062.899] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0062.899] lstrlenW (lpString=".ppt") returned 4 [0062.899] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0062.899] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0062.899] lstrlenW (lpString=".zip") returned 4 [0062.899] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0062.899] lstrlenW (lpString=".rar") returned 4 [0062.899] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0062.899] lstrlenW (lpString=".bz2") returned 4 [0062.899] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0062.899] lstrlenW (lpString=".7z") returned 3 [0062.899] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0062.899] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0062.899] lstrlenW (lpString=".dbf") returned 4 [0062.899] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0062.899] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0062.899] lstrlenW (lpString=".1cd") returned 4 [0062.899] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0062.899] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0062.899] lstrlenW (lpString=".jpg") returned 4 [0062.899] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0062.900] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0062.900] lstrlenW (lpString="SETUP.XML") returned 9 [0062.900] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0062.900] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x2eeff1c | out: lpFileSize=0x2eeff1c*=31094) returned 1 [0062.900] CloseHandle (hObject=0x218) returned 1 [0062.900] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml")) returned 0x20 [0062.900] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0062.900] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0062.901] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0062.901] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0062.901] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0062.902] GetLastError () returned 0x0 [0062.903] ReadFile (in: hFile=0x218, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x7976, lpOverlapped=0x0) returned 1 [0063.888] WriteFile (in: hFile=0x1ac, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0x7980, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0x7980, lpOverlapped=0x0) returned 1 [0064.352] ReadFile (in: hFile=0x218, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x0, lpOverlapped=0x0) returned 1 [0064.352] WriteFile (in: hFile=0x1ac, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0xe6, lpOverlapped=0x0) returned 1 [0064.352] SetEndOfFile (hFile=0x1ac) returned 1 [0064.352] CloseHandle (hObject=0x1ac) returned 1 [0064.352] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0064.352] SetEndOfFile (hFile=0x218) returned 1 [0064.353] CloseHandle (hObject=0x218) returned 1 [0064.353] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0064.354] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml")) returned 1 [0064.354] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0064.354] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0064.354] lstrlenW (lpString=".doc") returned 4 [0064.354] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0064.354] lstrlenW (lpString=".docx") returned 5 [0064.354] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0064.354] lstrlenW (lpString=".pdf") returned 4 [0064.354] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0064.354] lstrlenW (lpString=".xls") returned 4 [0064.354] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0064.354] lstrlenW (lpString=".xlsx") returned 5 [0064.354] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0064.354] lstrlenW (lpString=".ppt") returned 4 [0064.354] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0064.354] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0064.354] lstrlenW (lpString=".zip") returned 4 [0064.354] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0064.354] lstrlenW (lpString=".rar") returned 4 [0064.354] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0064.354] lstrlenW (lpString=".bz2") returned 4 [0064.354] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0064.354] lstrlenW (lpString=".7z") returned 3 [0064.354] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0064.355] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0064.355] lstrlenW (lpString=".dbf") returned 4 [0064.355] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0064.355] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0064.355] lstrlenW (lpString=".1cd") returned 4 [0064.355] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0064.355] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0064.355] lstrlenW (lpString=".jpg") returned 4 [0064.355] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0064.355] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0064.355] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0064.355] lstrlenW (lpString=".doc") returned 4 [0064.355] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0064.355] lstrlenW (lpString=".docx") returned 5 [0064.355] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0064.355] lstrlenW (lpString=".pdf") returned 4 [0064.355] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0064.355] lstrlenW (lpString=".xls") returned 4 [0064.355] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0064.355] lstrlenW (lpString=".xlsx") returned 5 [0064.355] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0064.355] lstrlenW (lpString=".ppt") returned 4 [0064.355] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0064.355] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0064.355] lstrlenW (lpString=".zip") returned 4 [0064.355] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0064.355] lstrlenW (lpString=".rar") returned 4 [0064.355] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0064.355] lstrlenW (lpString=".bz2") returned 4 [0064.355] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0064.355] lstrlenW (lpString=".7z") returned 3 [0064.355] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0064.355] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0064.356] lstrlenW (lpString=".dbf") returned 4 [0064.356] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0064.356] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0064.356] lstrlenW (lpString=".1cd") returned 4 [0064.356] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0064.356] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0064.356] lstrlenW (lpString=".jpg") returned 4 [0064.356] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0064.356] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0064.356] lstrlenW (lpString="VisioMUI.XML") returned 12 [0064.356] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0064.393] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2eeff1c | out: lpFileSize=0x2eeff1c*=9503) returned 1 [0064.393] CloseHandle (hObject=0x204) returned 1 [0064.393] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml")) returned 0x20 [0064.393] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0064.393] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0064.393] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0064.393] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0064.393] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0064.582] GetLastError () returned 0x0 [0064.582] ReadFile (in: hFile=0x204, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x251f, lpOverlapped=0x0) returned 1 [0064.586] WriteFile (in: hFile=0x198, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0x2520, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0x2520, lpOverlapped=0x0) returned 1 [0064.588] ReadFile (in: hFile=0x204, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x0, lpOverlapped=0x0) returned 1 [0064.588] WriteFile (in: hFile=0x198, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0xec, lpOverlapped=0x0) returned 1 [0064.588] SetEndOfFile (hFile=0x198) returned 1 [0064.588] CloseHandle (hObject=0x198) returned 1 [0064.589] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0064.589] SetEndOfFile (hFile=0x204) returned 1 [0064.590] CloseHandle (hObject=0x204) returned 1 [0064.590] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0064.590] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml")) returned 1 [0064.591] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0064.591] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0064.591] lstrlenW (lpString=".doc") returned 4 [0064.591] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0064.591] lstrlenW (lpString=".docx") returned 5 [0064.591] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0064.591] lstrlenW (lpString=".pdf") returned 4 [0064.591] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0064.591] lstrlenW (lpString=".xls") returned 4 [0064.591] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0064.591] lstrlenW (lpString=".xlsx") returned 5 [0064.591] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0064.591] lstrlenW (lpString=".ppt") returned 4 [0064.591] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0064.591] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0064.591] lstrlenW (lpString=".zip") returned 4 [0064.591] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0064.591] lstrlenW (lpString=".rar") returned 4 [0064.591] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0064.591] lstrlenW (lpString=".bz2") returned 4 [0064.591] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0064.591] lstrlenW (lpString=".7z") returned 3 [0064.591] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0064.591] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0064.591] lstrlenW (lpString=".dbf") returned 4 [0064.591] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0064.591] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0064.592] lstrlenW (lpString=".1cd") returned 4 [0064.592] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0064.592] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0064.592] lstrlenW (lpString=".jpg") returned 4 [0064.592] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0064.592] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0064.592] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0064.592] lstrlenW (lpString=".doc") returned 4 [0064.592] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0064.592] lstrlenW (lpString=".docx") returned 5 [0064.592] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0064.592] lstrlenW (lpString=".pdf") returned 4 [0064.592] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0064.592] lstrlenW (lpString=".xls") returned 4 [0064.592] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0064.592] lstrlenW (lpString=".xlsx") returned 5 [0064.592] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0064.592] lstrlenW (lpString=".ppt") returned 4 [0064.592] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0064.592] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0064.592] lstrlenW (lpString=".zip") returned 4 [0064.592] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0064.592] lstrlenW (lpString=".rar") returned 4 [0064.592] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0064.592] lstrlenW (lpString=".bz2") returned 4 [0064.593] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0064.593] lstrlenW (lpString=".7z") returned 3 [0064.593] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0064.593] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0064.593] lstrlenW (lpString=".dbf") returned 4 [0064.593] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0064.593] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0064.593] lstrlenW (lpString=".1cd") returned 4 [0064.593] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0064.593] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0064.593] lstrlenW (lpString=".jpg") returned 4 [0064.593] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0064.593] lstrcmpiW (lpString1=".HTM", lpString2=".bmd") returned 1 [0064.593] lstrlenW (lpString="MCABOUT.HTM") returned 11 [0064.594] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0064.596] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2eeff1c | out: lpFileSize=0x2eeff1c*=11463) returned 1 [0064.596] CloseHandle (hObject=0x204) returned 1 [0064.596] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm")) returned 0x20 [0064.596] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0064.596] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0064.596] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0064.596] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0064.596] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0064.706] GetLastError () returned 0x0 [0064.706] ReadFile (in: hFile=0x204, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x2cc7, lpOverlapped=0x0) returned 1 [0064.925] WriteFile (in: hFile=0x1ac, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0x2cd0, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0x2cd0, lpOverlapped=0x0) returned 1 [0065.212] ReadFile (in: hFile=0x204, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x0, lpOverlapped=0x0) returned 1 [0065.212] WriteFile (in: hFile=0x1ac, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0xea, lpOverlapped=0x0) returned 1 [0065.212] SetEndOfFile (hFile=0x1ac) returned 1 [0065.213] CloseHandle (hObject=0x1ac) returned 1 [0065.213] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0065.213] SetEndOfFile (hFile=0x204) returned 1 [0065.214] CloseHandle (hObject=0x204) returned 1 [0065.214] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0065.214] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm")) returned 1 [0065.215] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0065.215] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0065.215] lstrlenW (lpString=".doc") returned 4 [0065.215] lstrcmpiW (lpString1=".doc", lpString2=".HTM") returned -1 [0065.215] lstrlenW (lpString=".docx") returned 5 [0065.215] lstrcmpiW (lpString1=".docx", lpString2="T.HTM") returned -1 [0065.215] lstrlenW (lpString=".pdf") returned 4 [0065.215] lstrcmpiW (lpString1=".pdf", lpString2=".HTM") returned 1 [0065.215] lstrlenW (lpString=".xls") returned 4 [0065.215] lstrcmpiW (lpString1=".xls", lpString2=".HTM") returned 1 [0065.215] lstrlenW (lpString=".xlsx") returned 5 [0065.215] lstrcmpiW (lpString1=".xlsx", lpString2="T.HTM") returned -1 [0065.215] lstrlenW (lpString=".ppt") returned 4 [0065.215] lstrcmpiW (lpString1=".ppt", lpString2=".HTM") returned 1 [0065.215] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0065.215] lstrlenW (lpString=".zip") returned 4 [0065.215] lstrcmpiW (lpString1=".zip", lpString2=".HTM") returned 1 [0065.215] lstrlenW (lpString=".rar") returned 4 [0065.215] lstrcmpiW (lpString1=".rar", lpString2=".HTM") returned 1 [0065.215] lstrlenW (lpString=".bz2") returned 4 [0065.215] lstrcmpiW (lpString1=".bz2", lpString2=".HTM") returned -1 [0065.215] lstrlenW (lpString=".7z") returned 3 [0065.215] lstrcmpiW (lpString1=".7z", lpString2="HTM") returned -1 [0065.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0065.216] lstrlenW (lpString=".dbf") returned 4 [0065.216] lstrcmpiW (lpString1=".dbf", lpString2=".HTM") returned -1 [0065.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0065.216] lstrlenW (lpString=".1cd") returned 4 [0065.216] lstrcmpiW (lpString1=".1cd", lpString2=".HTM") returned -1 [0065.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0065.216] lstrlenW (lpString=".jpg") returned 4 [0065.216] lstrcmpiW (lpString1=".jpg", lpString2=".HTM") returned 1 [0065.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0065.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0065.216] lstrlenW (lpString=".doc") returned 4 [0065.216] lstrcmpiW (lpString1=".doc", lpString2=".HTM") returned -1 [0065.216] lstrlenW (lpString=".docx") returned 5 [0065.216] lstrcmpiW (lpString1=".docx", lpString2="T.HTM") returned -1 [0065.216] lstrlenW (lpString=".pdf") returned 4 [0065.216] lstrcmpiW (lpString1=".pdf", lpString2=".HTM") returned 1 [0065.216] lstrlenW (lpString=".xls") returned 4 [0065.216] lstrcmpiW (lpString1=".xls", lpString2=".HTM") returned 1 [0065.216] lstrlenW (lpString=".xlsx") returned 5 [0065.216] lstrcmpiW (lpString1=".xlsx", lpString2="T.HTM") returned -1 [0065.216] lstrlenW (lpString=".ppt") returned 4 [0065.216] lstrcmpiW (lpString1=".ppt", lpString2=".HTM") returned 1 [0065.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0065.216] lstrlenW (lpString=".zip") returned 4 [0065.216] lstrcmpiW (lpString1=".zip", lpString2=".HTM") returned 1 [0065.216] lstrlenW (lpString=".rar") returned 4 [0065.216] lstrcmpiW (lpString1=".rar", lpString2=".HTM") returned 1 [0065.216] lstrlenW (lpString=".bz2") returned 4 [0065.216] lstrcmpiW (lpString1=".bz2", lpString2=".HTM") returned -1 [0065.217] lstrlenW (lpString=".7z") returned 3 [0065.217] lstrcmpiW (lpString1=".7z", lpString2="HTM") returned -1 [0065.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0065.217] lstrlenW (lpString=".dbf") returned 4 [0065.217] lstrcmpiW (lpString1=".dbf", lpString2=".HTM") returned -1 [0065.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0065.217] lstrlenW (lpString=".1cd") returned 4 [0065.217] lstrcmpiW (lpString1=".1cd", lpString2=".HTM") returned -1 [0065.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0065.217] lstrlenW (lpString=".jpg") returned 4 [0065.217] lstrcmpiW (lpString1=".jpg", lpString2=".HTM") returned 1 [0065.217] lstrcmpiW (lpString1=".XML", lpString2=".bmd") returned 1 [0065.217] lstrlenW (lpString="DATES.XML") returned 9 [0065.217] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0065.219] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2eeff1c | out: lpFileSize=0x2eeff1c*=8918) returned 1 [0065.219] CloseHandle (hObject=0x204) returned 1 [0065.219] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml")) returned 0x20 [0065.219] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0065.219] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0065.219] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0065.219] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0065.219] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0067.044] GetLastError () returned 0x0 [0067.044] ReadFile (in: hFile=0x204, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x22d6, lpOverlapped=0x0) returned 1 [0067.046] WriteFile (in: hFile=0x1f4, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0x22e0, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0x22e0, lpOverlapped=0x0) returned 1 [0067.047] ReadFile (in: hFile=0x204, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x0, lpOverlapped=0x0) returned 1 [0067.048] WriteFile (in: hFile=0x1f4, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0xe6, lpOverlapped=0x0) returned 1 [0067.048] SetEndOfFile (hFile=0x1f4) returned 1 [0067.048] CloseHandle (hObject=0x1f4) returned 1 [0067.048] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0067.048] SetEndOfFile (hFile=0x204) returned 1 [0067.049] CloseHandle (hObject=0x204) returned 1 [0067.050] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0067.050] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml")) returned 1 [0067.050] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0067.050] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0067.050] lstrlenW (lpString=".doc") returned 4 [0067.050] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0067.050] lstrlenW (lpString=".docx") returned 5 [0067.050] lstrcmpiW (lpString1=".docx", lpString2="S.XML") returned -1 [0067.050] lstrlenW (lpString=".pdf") returned 4 [0067.050] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0067.050] lstrlenW (lpString=".xls") returned 4 [0067.050] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0067.050] lstrlenW (lpString=".xlsx") returned 5 [0067.050] lstrcmpiW (lpString1=".xlsx", lpString2="S.XML") returned -1 [0067.051] lstrlenW (lpString=".ppt") returned 4 [0067.051] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0067.051] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0067.051] lstrlenW (lpString=".zip") returned 4 [0067.051] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0067.051] lstrlenW (lpString=".rar") returned 4 [0067.051] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0067.051] lstrlenW (lpString=".bz2") returned 4 [0067.051] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0067.051] lstrlenW (lpString=".7z") returned 3 [0067.051] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0067.051] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0067.051] lstrlenW (lpString=".dbf") returned 4 [0067.051] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0067.051] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0067.051] lstrlenW (lpString=".1cd") returned 4 [0067.051] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0067.051] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0067.051] lstrlenW (lpString=".jpg") returned 4 [0067.051] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0067.051] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0067.051] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0067.051] lstrlenW (lpString=".doc") returned 4 [0067.051] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0067.051] lstrlenW (lpString=".docx") returned 5 [0067.051] lstrcmpiW (lpString1=".docx", lpString2="S.XML") returned -1 [0067.051] lstrlenW (lpString=".pdf") returned 4 [0067.051] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0067.051] lstrlenW (lpString=".xls") returned 4 [0067.051] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0067.052] lstrlenW (lpString=".xlsx") returned 5 [0067.052] lstrcmpiW (lpString1=".xlsx", lpString2="S.XML") returned -1 [0067.052] lstrlenW (lpString=".ppt") returned 4 [0067.052] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0067.052] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0067.052] lstrlenW (lpString=".zip") returned 4 [0067.052] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0067.052] lstrlenW (lpString=".rar") returned 4 [0067.052] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0067.052] lstrlenW (lpString=".bz2") returned 4 [0067.052] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0067.052] lstrlenW (lpString=".7z") returned 3 [0067.052] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0067.052] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0067.052] lstrlenW (lpString=".dbf") returned 4 [0067.052] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0067.052] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0067.052] lstrlenW (lpString=".1cd") returned 4 [0067.052] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0067.052] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0067.052] lstrlenW (lpString=".jpg") returned 4 [0067.052] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0067.052] lstrcmpiW (lpString1=".jpg", lpString2=".bmd") returned 1 [0067.052] lstrlenW (lpString="HandPrints.jpg") returned 14 [0067.052] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0067.747] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x2eeff1c | out: lpFileSize=0x2eeff1c*=4222) returned 1 [0067.747] CloseHandle (hObject=0x198) returned 1 [0067.747] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg")) returned 0x20 [0067.747] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0067.747] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0067.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0067.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0067.747] lstrlenW (lpString=".doc") returned 4 [0067.748] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0067.748] lstrlenW (lpString=".docx") returned 5 [0067.748] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0067.748] lstrlenW (lpString=".pdf") returned 4 [0067.748] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0067.748] lstrlenW (lpString=".xls") returned 4 [0067.748] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0067.748] lstrlenW (lpString=".xlsx") returned 5 [0067.748] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0067.748] lstrlenW (lpString=".ppt") returned 4 [0067.748] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0067.748] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0067.748] lstrlenW (lpString=".zip") returned 4 [0067.748] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0067.748] lstrlenW (lpString=".rar") returned 4 [0067.748] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0067.748] lstrlenW (lpString=".bz2") returned 4 [0067.748] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0067.748] lstrlenW (lpString=".7z") returned 3 [0067.748] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0067.748] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0067.748] lstrlenW (lpString=".dbf") returned 4 [0067.748] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0067.748] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0067.748] lstrlenW (lpString=".1cd") returned 4 [0067.748] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0067.748] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0067.748] lstrlenW (lpString=".jpg") returned 4 [0067.748] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0067.749] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0067.749] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0067.749] lstrlenW (lpString=".doc") returned 4 [0067.749] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0067.749] lstrlenW (lpString=".docx") returned 5 [0067.749] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0067.749] lstrlenW (lpString=".pdf") returned 4 [0067.749] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0067.749] lstrlenW (lpString=".xls") returned 4 [0067.749] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0067.749] lstrlenW (lpString=".xlsx") returned 5 [0067.749] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0067.749] lstrlenW (lpString=".ppt") returned 4 [0067.749] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0067.749] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0067.749] lstrlenW (lpString=".zip") returned 4 [0067.749] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0067.749] lstrlenW (lpString=".rar") returned 4 [0067.749] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0067.749] lstrlenW (lpString=".bz2") returned 4 [0067.749] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0067.749] lstrlenW (lpString=".7z") returned 3 [0067.749] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0067.749] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0067.749] lstrlenW (lpString=".dbf") returned 4 [0067.749] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0067.749] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0067.750] lstrlenW (lpString=".1cd") returned 4 [0067.750] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0067.750] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0067.750] lstrlenW (lpString=".jpg") returned 4 [0067.750] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0067.750] lstrcmpiW (lpString1=".jpg", lpString2=".bmd") returned 1 [0067.750] lstrlenW (lpString="SoftBlue.jpg") returned 12 [0067.750] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\SoftBlue.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\softblue.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0067.751] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x2eeff1c | out: lpFileSize=0x2eeff1c*=10569) returned 1 [0067.751] CloseHandle (hObject=0x198) returned 1 [0067.752] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\SoftBlue.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\softblue.jpg")) returned 0x20 [0067.752] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\SoftBlue.jpg.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\softblue.jpg.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0067.752] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\SoftBlue.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\softblue.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0067.752] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\SoftBlue.jpg") returned 70 [0067.752] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\SoftBlue.jpg") returned 70 [0067.752] lstrlenW (lpString=".doc") returned 4 [0067.752] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0067.752] lstrlenW (lpString=".docx") returned 5 [0067.752] lstrcmpiW (lpString1=".docx", lpString2="e.jpg") returned -1 [0067.752] lstrlenW (lpString=".pdf") returned 4 [0067.752] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0067.752] lstrlenW (lpString=".xls") returned 4 [0067.752] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0067.752] lstrlenW (lpString=".xlsx") returned 5 [0067.752] lstrcmpiW (lpString1=".xlsx", lpString2="e.jpg") returned -1 [0067.752] lstrlenW (lpString=".ppt") returned 4 [0067.752] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0067.752] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\SoftBlue.jpg") returned 70 [0067.752] lstrlenW (lpString=".zip") returned 4 [0067.752] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0067.752] lstrlenW (lpString=".rar") returned 4 [0067.753] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0067.753] lstrlenW (lpString=".bz2") returned 4 [0067.753] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0067.753] lstrlenW (lpString=".7z") returned 3 [0067.753] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0067.753] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\SoftBlue.jpg") returned 70 [0067.753] lstrlenW (lpString=".dbf") returned 4 [0067.753] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0067.753] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\SoftBlue.jpg") returned 70 [0067.753] lstrlenW (lpString=".1cd") returned 4 [0067.753] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0067.753] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\SoftBlue.jpg") returned 70 [0067.753] lstrlenW (lpString=".jpg") returned 4 [0067.753] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0067.753] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\SoftBlue.jpg") returned 70 [0067.753] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\SoftBlue.jpg") returned 70 [0067.753] lstrlenW (lpString=".doc") returned 4 [0067.753] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0067.753] lstrlenW (lpString=".docx") returned 5 [0067.753] lstrcmpiW (lpString1=".docx", lpString2="e.jpg") returned -1 [0067.753] lstrlenW (lpString=".pdf") returned 4 [0067.753] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0067.753] lstrlenW (lpString=".xls") returned 4 [0067.753] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0067.753] lstrlenW (lpString=".xlsx") returned 5 [0067.753] lstrcmpiW (lpString1=".xlsx", lpString2="e.jpg") returned -1 [0067.753] lstrlenW (lpString=".ppt") returned 4 [0067.754] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0067.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\SoftBlue.jpg") returned 70 [0067.754] lstrlenW (lpString=".zip") returned 4 [0067.754] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0067.754] lstrlenW (lpString=".rar") returned 4 [0067.754] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0067.754] lstrlenW (lpString=".bz2") returned 4 [0067.754] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0067.754] lstrlenW (lpString=".7z") returned 3 [0067.754] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0067.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\SoftBlue.jpg") returned 70 [0067.754] lstrlenW (lpString=".dbf") returned 4 [0067.754] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0067.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\SoftBlue.jpg") returned 70 [0067.754] lstrlenW (lpString=".1cd") returned 4 [0067.754] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0067.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\SoftBlue.jpg") returned 70 [0067.754] lstrlenW (lpString=".jpg") returned 4 [0067.754] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0067.754] lstrcmpiW (lpString1=".htm", lpString2=".bmd") returned 1 [0067.754] lstrlenW (lpString="Stars.htm") returned 9 [0067.754] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0067.755] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x2eeff1c | out: lpFileSize=0x2eeff1c*=230) returned 1 [0067.755] CloseHandle (hObject=0x198) returned 1 [0067.755] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.htm")) returned 0x20 [0067.755] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.htm.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0067.755] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0067.755] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm") returned 67 [0067.755] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm") returned 67 [0067.755] lstrlenW (lpString=".doc") returned 4 [0067.755] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0067.756] lstrlenW (lpString=".docx") returned 5 [0067.756] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0067.756] lstrlenW (lpString=".pdf") returned 4 [0067.756] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0067.756] lstrlenW (lpString=".xls") returned 4 [0067.756] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0067.756] lstrlenW (lpString=".xlsx") returned 5 [0067.756] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0067.756] lstrlenW (lpString=".ppt") returned 4 [0067.756] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0067.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm") returned 67 [0067.756] lstrlenW (lpString=".zip") returned 4 [0067.756] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0067.756] lstrlenW (lpString=".rar") returned 4 [0067.756] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0067.756] lstrlenW (lpString=".bz2") returned 4 [0067.756] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0067.756] lstrlenW (lpString=".7z") returned 3 [0067.756] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0067.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm") returned 67 [0067.756] lstrlenW (lpString=".dbf") returned 4 [0067.756] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0067.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm") returned 67 [0067.756] lstrlenW (lpString=".1cd") returned 4 [0067.756] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0067.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm") returned 67 [0067.756] lstrlenW (lpString=".jpg") returned 4 [0067.756] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0067.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm") returned 67 [0067.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm") returned 67 [0067.757] lstrlenW (lpString=".doc") returned 4 [0067.757] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0067.757] lstrlenW (lpString=".docx") returned 5 [0067.757] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0067.757] lstrlenW (lpString=".pdf") returned 4 [0067.757] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0067.757] lstrlenW (lpString=".xls") returned 4 [0067.757] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0067.757] lstrlenW (lpString=".xlsx") returned 5 [0067.757] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0067.757] lstrlenW (lpString=".ppt") returned 4 [0067.757] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0067.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm") returned 67 [0067.757] lstrlenW (lpString=".zip") returned 4 [0067.757] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0067.757] lstrlenW (lpString=".rar") returned 4 [0067.757] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0067.757] lstrlenW (lpString=".bz2") returned 4 [0067.757] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0067.757] lstrlenW (lpString=".7z") returned 3 [0067.757] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0067.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm") returned 67 [0067.757] lstrlenW (lpString=".dbf") returned 4 [0067.757] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0067.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm") returned 67 [0067.758] lstrlenW (lpString=".1cd") returned 4 [0067.758] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0067.758] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm") returned 67 [0067.758] lstrlenW (lpString=".jpg") returned 4 [0067.758] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0067.758] lstrcmpiW (lpString1=".jpg", lpString2=".bmd") returned 1 [0067.758] lstrlenW (lpString="Stars.jpg") returned 9 [0067.758] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0067.759] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x2eeff1c | out: lpFileSize=0x2eeff1c*=7505) returned 1 [0067.759] CloseHandle (hObject=0x198) returned 1 [0067.759] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.jpg")) returned 0x20 [0067.759] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.jpg.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0067.759] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0067.759] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg") returned 67 [0067.760] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg") returned 67 [0067.760] lstrlenW (lpString=".doc") returned 4 [0067.760] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0067.760] lstrlenW (lpString=".docx") returned 5 [0067.760] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0067.760] lstrlenW (lpString=".pdf") returned 4 [0067.760] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0067.760] lstrlenW (lpString=".xls") returned 4 [0067.760] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0067.760] lstrlenW (lpString=".xlsx") returned 5 [0067.760] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0067.760] lstrlenW (lpString=".ppt") returned 4 [0067.760] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0067.760] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg") returned 67 [0067.760] lstrlenW (lpString=".zip") returned 4 [0067.772] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0067.772] lstrlenW (lpString=".rar") returned 4 [0067.773] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0067.773] lstrlenW (lpString=".bz2") returned 4 [0067.773] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0067.773] lstrlenW (lpString=".7z") returned 3 [0067.773] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0067.773] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg") returned 67 [0067.773] lstrlenW (lpString=".dbf") returned 4 [0067.773] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0067.773] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg") returned 67 [0067.773] lstrlenW (lpString=".1cd") returned 4 [0067.773] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0067.774] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg") returned 67 [0067.774] lstrlenW (lpString=".jpg") returned 4 [0067.774] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0067.774] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg") returned 67 [0067.774] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg") returned 67 [0067.774] lstrlenW (lpString=".doc") returned 4 [0067.774] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0067.774] lstrlenW (lpString=".docx") returned 5 [0067.774] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0067.774] lstrlenW (lpString=".pdf") returned 4 [0067.774] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0067.774] lstrlenW (lpString=".xls") returned 4 [0067.774] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0067.774] lstrlenW (lpString=".xlsx") returned 5 [0067.774] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0067.774] lstrlenW (lpString=".ppt") returned 4 [0067.774] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0067.774] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg") returned 67 [0067.774] lstrlenW (lpString=".zip") returned 4 [0067.774] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0067.774] lstrlenW (lpString=".rar") returned 4 [0067.774] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0067.774] lstrlenW (lpString=".bz2") returned 4 [0067.774] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0067.774] lstrlenW (lpString=".7z") returned 3 [0067.774] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0067.775] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg") returned 67 [0067.775] lstrlenW (lpString=".dbf") returned 4 [0067.775] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0067.775] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg") returned 67 [0067.775] lstrlenW (lpString=".1cd") returned 4 [0067.775] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0067.775] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg") returned 67 [0067.775] lstrlenW (lpString=".jpg") returned 4 [0067.775] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0067.775] lstrcmpiW (lpString1=".gif", lpString2=".bmd") returned 1 [0067.775] lstrlenW (lpString="Stucco.gif") returned 10 [0067.775] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stucco.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0067.776] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x2eeff1c | out: lpFileSize=0x2eeff1c*=1864) returned 1 [0067.776] CloseHandle (hObject=0x198) returned 1 [0067.776] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stucco.gif")) returned 0x20 [0067.776] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stucco.gif.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0067.776] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stucco.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0067.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif") returned 68 [0067.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif") returned 68 [0067.776] lstrlenW (lpString=".doc") returned 4 [0067.776] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0067.776] lstrlenW (lpString=".docx") returned 5 [0067.776] lstrcmpiW (lpString1=".docx", lpString2="o.gif") returned -1 [0067.776] lstrlenW (lpString=".pdf") returned 4 [0067.776] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0067.777] lstrlenW (lpString=".xls") returned 4 [0067.777] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0067.777] lstrlenW (lpString=".xlsx") returned 5 [0067.777] lstrcmpiW (lpString1=".xlsx", lpString2="o.gif") returned -1 [0067.777] lstrlenW (lpString=".ppt") returned 4 [0067.777] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0067.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif") returned 68 [0067.777] lstrlenW (lpString=".zip") returned 4 [0067.777] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0067.777] lstrlenW (lpString=".rar") returned 4 [0067.777] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0067.777] lstrlenW (lpString=".bz2") returned 4 [0067.777] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0067.777] lstrlenW (lpString=".7z") returned 3 [0067.777] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0067.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif") returned 68 [0067.777] lstrlenW (lpString=".dbf") returned 4 [0067.777] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0067.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif") returned 68 [0067.777] lstrlenW (lpString=".1cd") returned 4 [0067.777] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0067.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif") returned 68 [0067.777] lstrlenW (lpString=".jpg") returned 4 [0067.777] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0067.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif") returned 68 [0067.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif") returned 68 [0067.778] lstrlenW (lpString=".doc") returned 4 [0067.778] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0067.778] lstrlenW (lpString=".docx") returned 5 [0067.778] lstrcmpiW (lpString1=".docx", lpString2="o.gif") returned -1 [0067.778] lstrlenW (lpString=".pdf") returned 4 [0067.778] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0067.778] lstrlenW (lpString=".xls") returned 4 [0067.778] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0067.778] lstrlenW (lpString=".xlsx") returned 5 [0067.778] lstrcmpiW (lpString1=".xlsx", lpString2="o.gif") returned -1 [0067.778] lstrlenW (lpString=".ppt") returned 4 [0067.778] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0067.778] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif") returned 68 [0067.778] lstrlenW (lpString=".zip") returned 4 [0067.778] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0067.778] lstrlenW (lpString=".rar") returned 4 [0067.778] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0067.778] lstrlenW (lpString=".bz2") returned 4 [0067.778] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0067.778] lstrlenW (lpString=".7z") returned 3 [0067.778] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0067.778] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif") returned 68 [0067.778] lstrlenW (lpString=".dbf") returned 4 [0067.778] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0067.778] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif") returned 68 [0067.778] lstrlenW (lpString=".1cd") returned 4 [0067.778] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0067.779] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif") returned 68 [0067.779] lstrlenW (lpString=".jpg") returned 4 [0067.779] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0067.779] lstrcmpiW (lpString1=".jpg", lpString2=".bmd") returned 1 [0067.779] lstrlenW (lpString="Tanspecks.jpg") returned 13 [0067.779] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\tanspecks.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0067.780] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x2eeff1c | out: lpFileSize=0x2eeff1c*=3650) returned 1 [0067.780] CloseHandle (hObject=0x198) returned 1 [0067.780] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\tanspecks.jpg")) returned 0x20 [0067.780] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\tanspecks.jpg.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0067.780] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\tanspecks.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0067.780] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg") returned 71 [0067.781] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg") returned 71 [0067.781] lstrlenW (lpString=".doc") returned 4 [0067.781] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0067.781] lstrlenW (lpString=".docx") returned 5 [0067.781] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0067.781] lstrlenW (lpString=".pdf") returned 4 [0067.781] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0067.781] lstrlenW (lpString=".xls") returned 4 [0067.781] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0067.781] lstrlenW (lpString=".xlsx") returned 5 [0067.781] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0067.781] lstrlenW (lpString=".ppt") returned 4 [0067.781] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0067.781] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg") returned 71 [0067.781] lstrlenW (lpString=".zip") returned 4 [0067.781] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0067.781] lstrlenW (lpString=".rar") returned 4 [0067.781] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0067.781] lstrlenW (lpString=".bz2") returned 4 [0067.781] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0067.781] lstrlenW (lpString=".7z") returned 3 [0067.781] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0067.781] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg") returned 71 [0067.781] lstrlenW (lpString=".dbf") returned 4 [0067.781] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0067.785] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0067.785] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0067.785] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\preview.gif.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0068.240] GetLastError () returned 0x0 [0068.240] ReadFile (in: hFile=0x198, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x621, lpOverlapped=0x0) returned 1 [0069.120] WriteFile (in: hFile=0x20c, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0x630, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0x630, lpOverlapped=0x0) returned 1 [0069.122] ReadFile (in: hFile=0x198, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x0, lpOverlapped=0x0) returned 1 [0069.122] WriteFile (in: hFile=0x20c, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0xea, lpOverlapped=0x0) returned 1 [0069.122] SetEndOfFile (hFile=0x20c) returned 1 [0069.122] CloseHandle (hObject=0x20c) returned 1 [0069.123] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0069.123] SetEndOfFile (hFile=0x198) returned 1 [0069.124] CloseHandle (hObject=0x198) returned 1 [0069.124] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0069.125] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\preview.gif")) returned 1 [0069.125] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0069.125] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0069.125] lstrlenW (lpString=".doc") returned 4 [0069.125] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0069.125] lstrlenW (lpString=".docx") returned 5 [0069.125] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0069.125] lstrlenW (lpString=".pdf") returned 4 [0069.125] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0069.126] lstrlenW (lpString=".xls") returned 4 [0069.126] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0069.126] lstrlenW (lpString=".xlsx") returned 5 [0069.126] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0069.126] lstrlenW (lpString=".ppt") returned 4 [0069.126] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0069.126] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0069.126] lstrlenW (lpString=".zip") returned 4 [0069.126] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0069.126] lstrlenW (lpString=".rar") returned 4 [0069.126] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0069.126] lstrlenW (lpString=".bz2") returned 4 [0069.126] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0069.126] lstrlenW (lpString=".7z") returned 3 [0069.126] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0069.126] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0069.126] lstrlenW (lpString=".dbf") returned 4 [0069.126] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0069.126] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0069.126] lstrlenW (lpString=".1cd") returned 4 [0069.126] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0069.126] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0069.126] lstrlenW (lpString=".jpg") returned 4 [0069.126] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0069.127] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0069.127] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0069.127] lstrlenW (lpString=".doc") returned 4 [0069.127] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0069.127] lstrlenW (lpString=".docx") returned 5 [0069.127] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0069.127] lstrlenW (lpString=".pdf") returned 4 [0069.127] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0069.127] lstrlenW (lpString=".xls") returned 4 [0069.127] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0069.127] lstrlenW (lpString=".xlsx") returned 5 [0069.127] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0069.127] lstrlenW (lpString=".ppt") returned 4 [0069.127] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0069.127] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0069.127] lstrlenW (lpString=".zip") returned 4 [0069.127] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0069.127] lstrlenW (lpString=".rar") returned 4 [0069.127] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0069.127] lstrlenW (lpString=".bz2") returned 4 [0069.127] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0069.127] lstrlenW (lpString=".7z") returned 3 [0069.127] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0069.128] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0069.128] lstrlenW (lpString=".dbf") returned 4 [0069.128] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0069.128] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0069.128] lstrlenW (lpString=".1cd") returned 4 [0069.128] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0069.128] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0069.128] lstrlenW (lpString=".jpg") returned 4 [0069.128] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0069.128] lstrcmpiW (lpString1=".PNG", lpString2=".bmd") returned 1 [0069.128] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0069.128] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0069.984] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x2eeff1c | out: lpFileSize=0x2eeff1c*=20627) returned 1 [0069.985] CloseHandle (hObject=0x20c) returned 1 [0069.985] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png")) returned 0x20 [0069.985] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0069.985] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0069.985] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0069.985] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0069.985] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0069.986] GetLastError () returned 0x0 [0069.986] ReadFile (in: hFile=0x20c, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x5093, lpOverlapped=0x0) returned 1 [0070.502] WriteFile (in: hFile=0x19c, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0x50a0, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0x50a0, lpOverlapped=0x0) returned 1 [0070.503] ReadFile (in: hFile=0x20c, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x0, lpOverlapped=0x0) returned 1 [0070.503] WriteFile (in: hFile=0x19c, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0xec, lpOverlapped=0x0) returned 1 [0070.503] SetEndOfFile (hFile=0x19c) returned 1 [0070.504] CloseHandle (hObject=0x19c) returned 1 [0070.504] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0070.504] SetEndOfFile (hFile=0x20c) returned 1 [0070.505] CloseHandle (hObject=0x20c) returned 1 [0070.505] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0070.507] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png")) returned 1 [0070.507] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0070.507] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0070.507] lstrlenW (lpString=".doc") returned 4 [0070.507] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0070.507] lstrlenW (lpString=".docx") returned 5 [0070.507] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0070.507] lstrlenW (lpString=".pdf") returned 4 [0070.508] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0070.508] lstrlenW (lpString=".xls") returned 4 [0070.508] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0070.508] lstrlenW (lpString=".xlsx") returned 5 [0070.508] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0070.508] lstrlenW (lpString=".ppt") returned 4 [0070.508] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0070.508] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0070.508] lstrlenW (lpString=".zip") returned 4 [0070.508] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0070.508] lstrlenW (lpString=".rar") returned 4 [0070.508] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0070.508] lstrlenW (lpString=".bz2") returned 4 [0070.508] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0070.508] lstrlenW (lpString=".7z") returned 3 [0070.508] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0070.508] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0070.508] lstrlenW (lpString=".dbf") returned 4 [0070.508] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0070.508] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0070.508] lstrlenW (lpString=".1cd") returned 4 [0070.508] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0070.508] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0070.508] lstrlenW (lpString=".jpg") returned 4 [0070.509] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0070.509] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0070.509] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0070.509] lstrlenW (lpString=".doc") returned 4 [0070.509] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0070.509] lstrlenW (lpString=".docx") returned 5 [0070.509] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0070.509] lstrlenW (lpString=".pdf") returned 4 [0070.509] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0070.509] lstrlenW (lpString=".xls") returned 4 [0070.509] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0070.510] lstrlenW (lpString=".xlsx") returned 5 [0070.510] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0070.510] lstrlenW (lpString=".ppt") returned 4 [0070.510] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0070.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0070.510] lstrlenW (lpString=".zip") returned 4 [0070.510] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0070.510] lstrlenW (lpString=".rar") returned 4 [0070.510] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0070.510] lstrlenW (lpString=".bz2") returned 4 [0070.510] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0070.510] lstrlenW (lpString=".7z") returned 3 [0070.510] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0070.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0070.510] lstrlenW (lpString=".dbf") returned 4 [0070.510] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0070.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0070.510] lstrlenW (lpString=".1cd") returned 4 [0070.510] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0070.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0070.510] lstrlenW (lpString=".jpg") returned 4 [0070.510] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0070.511] lstrcmpiW (lpString1=".GIF", lpString2=".bmd") returned 1 [0070.511] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0070.511] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0070.511] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x2eeff1c | out: lpFileSize=0x2eeff1c*=945) returned 1 [0070.511] CloseHandle (hObject=0x20c) returned 1 [0070.511] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif")) returned 0x20 [0070.512] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0070.512] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0070.512] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0070.512] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0070.512] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0070.945] GetLastError () returned 0x0 [0070.945] ReadFile (in: hFile=0x20c, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x3b1, lpOverlapped=0x0) returned 1 [0070.948] WriteFile (in: hFile=0x1ac, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0x3c0, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0x3c0, lpOverlapped=0x0) returned 1 [0070.950] ReadFile (in: hFile=0x20c, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesRead=0x2eefed4*=0x0, lpOverlapped=0x0) returned 1 [0070.950] WriteFile (in: hFile=0x1ac, lpBuffer=0x3960020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2eefc9c, lpOverlapped=0x0 | out: lpBuffer=0x3960020*, lpNumberOfBytesWritten=0x2eefc9c*=0xea, lpOverlapped=0x0) returned 1 [0070.950] SetEndOfFile (hFile=0x1ac) returned 1 [0070.950] CloseHandle (hObject=0x1ac) returned 1 [0070.950] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0070.951] SetEndOfFile (hFile=0x20c) returned 1 [0070.952] CloseHandle (hObject=0x20c) returned 1 [0070.952] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x20) returned 1 [0070.952] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif")) returned 1 [0070.952] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0070.952] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0070.953] lstrlenW (lpString=".doc") returned 4 [0070.953] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0070.953] lstrlenW (lpString=".docx") returned 5 [0070.953] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0070.953] lstrlenW (lpString=".pdf") returned 4 [0070.953] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0070.953] lstrlenW (lpString=".xls") returned 4 [0070.953] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0070.953] lstrlenW (lpString=".xlsx") returned 5 [0070.953] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0070.953] lstrlenW (lpString=".ppt") returned 4 [0070.953] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0070.953] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0070.953] lstrlenW (lpString=".zip") returned 4 [0070.953] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0070.953] lstrlenW (lpString=".rar") returned 4 [0070.953] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0070.953] lstrlenW (lpString=".bz2") returned 4 [0070.953] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0070.953] lstrlenW (lpString=".7z") returned 3 [0070.953] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0070.953] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0070.953] lstrlenW (lpString=".dbf") returned 4 [0070.953] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0070.953] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0070.953] lstrlenW (lpString=".1cd") returned 4 [0070.954] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0070.954] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0070.954] lstrlenW (lpString=".jpg") returned 4 [0070.954] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0070.954] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0070.954] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0070.954] lstrlenW (lpString=".doc") returned 4 [0070.954] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0070.954] lstrlenW (lpString=".docx") returned 5 [0070.954] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0070.954] lstrlenW (lpString=".pdf") returned 4 [0070.954] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0070.954] lstrlenW (lpString=".xls") returned 4 [0070.954] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0070.954] lstrlenW (lpString=".xlsx") returned 5 [0070.954] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0070.954] lstrlenW (lpString=".ppt") returned 4 [0070.954] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0070.954] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0070.954] lstrlenW (lpString=".zip") returned 4 [0070.955] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0070.955] lstrlenW (lpString=".rar") returned 4 [0070.955] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0070.955] lstrlenW (lpString=".bz2") returned 4 [0070.955] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0070.955] lstrlenW (lpString=".7z") returned 3 [0070.955] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0070.955] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0070.955] lstrlenW (lpString=".dbf") returned 4 [0070.955] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0070.955] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0070.955] lstrlenW (lpString=".1cd") returned 4 [0070.955] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0070.955] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0070.955] lstrlenW (lpString=".jpg") returned 4 [0070.955] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0070.955] lstrcmpiW (lpString1=".GIF", lpString2=".bmd") returned 1 [0070.956] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0070.956] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0070.956] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x2eeff1c | out: lpFileSize=0x2eeff1c*=1293) returned 1 [0070.957] CloseHandle (hObject=0x20c) returned 1 [0070.957] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif")) returned 0x20 [0070.957] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0070.957] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0070.957] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0070.957] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2eefec8 | out: lpNewFilePointer=0x0) returned 1 [0070.957] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0070.968] GetLastError () returned 0x0 [0070.968] ReadFile (hFile=0x20c, lpBuffer=0x3960020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2eefed4, lpOverlapped=0x0) Thread: id = 15 os_tid = 0x40c [0047.366] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3880058 [0047.366] lstrlenW (lpString="C:") returned 2 [0047.366] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x302fd00 | out: lpFindFileData=0x302fd00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x680830 [0047.367] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0047.367] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin") returned 1 [0047.367] lstrlenW (lpString="$Recycle.Bin") returned 12 [0047.367] lstrcmpiW (lpString1="C:\\Windows", lpString2="$Recycle.Bin") returned 1 [0047.367] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3890060 [0047.367] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0047.367] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*", lpFindFileData=0x302fa84 | out: lpFindFileData=0x302fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x680870 [0047.367] FindNextFileW (in: hFindFile=0x680870, lpFindFileData=0x302fa84 | out: lpFindFileData=0x302fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.367] FindNextFileW (in: hFindFile=0x680870, lpFindFileData=0x302fa84 | out: lpFindFileData=0x302fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0047.367] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0047.367] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 1 [0047.368] lstrlenW (lpString="S-1-5-21-3388679973-3930757225-3770151564-1000") returned 46 [0047.368] lstrcmpiW (lpString1="C:\\Windows", lpString2="S-1-5-21-3388679973-3930757225-3770151564-1000") returned -1 [0047.368] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x38a1070 [0047.368] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0047.368] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*", lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x680588 [0047.368] FindNextFileW (in: hFindFile=0x680588, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.368] FindNextFileW (in: hFindFile=0x680588, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0047.368] lstrlenW (lpString="desktop.ini") returned 11 [0047.368] lstrlenW (lpString=".1cd") returned 4 [0047.368] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0047.368] lstrlenW (lpString=".3ds") returned 4 [0047.368] lstrcmpiW (lpString1=".3ds", lpString2=".ini") returned -1 [0047.368] lstrlenW (lpString=".3fr") returned 4 [0047.368] lstrcmpiW (lpString1=".3fr", lpString2=".ini") returned -1 [0047.368] lstrlenW (lpString=".3g2") returned 4 [0047.368] lstrcmpiW (lpString1=".3g2", lpString2=".ini") returned -1 [0047.368] lstrlenW (lpString=".3gp") returned 4 [0047.368] lstrcmpiW (lpString1=".3gp", lpString2=".ini") returned -1 [0047.369] lstrlenW (lpString=".7z") returned 3 [0047.369] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0047.369] lstrlenW (lpString=".accda") returned 6 [0047.369] lstrcmpiW (lpString1=".accda", lpString2="op.ini") returned -1 [0047.369] lstrlenW (lpString=".accdb") returned 6 [0047.369] lstrcmpiW (lpString1=".accdb", lpString2="op.ini") returned -1 [0047.369] lstrlenW (lpString=".accdc") returned 6 [0047.369] lstrcmpiW (lpString1=".accdc", lpString2="op.ini") returned -1 [0047.369] lstrlenW (lpString=".accde") returned 6 [0047.369] lstrcmpiW (lpString1=".accde", lpString2="op.ini") returned -1 [0047.369] lstrlenW (lpString=".accdt") returned 6 [0047.369] lstrcmpiW (lpString1=".accdt", lpString2="op.ini") returned -1 [0047.369] lstrlenW (lpString=".accdw") returned 6 [0047.369] lstrcmpiW (lpString1=".accdw", lpString2="op.ini") returned -1 [0047.369] lstrlenW (lpString=".adb") returned 4 [0047.369] lstrcmpiW (lpString1=".adb", lpString2=".ini") returned -1 [0047.369] lstrlenW (lpString=".adp") returned 4 [0047.369] lstrcmpiW (lpString1=".adp", lpString2=".ini") returned -1 [0047.369] lstrlenW (lpString=".ai") returned 3 [0047.369] lstrcmpiW (lpString1=".ai", lpString2="ini") returned -1 [0047.369] lstrlenW (lpString=".ai3") returned 4 [0047.369] lstrcmpiW (lpString1=".ai3", lpString2=".ini") returned -1 [0047.369] lstrlenW (lpString=".ai4") returned 4 [0047.369] lstrcmpiW (lpString1=".ai4", lpString2=".ini") returned -1 [0047.369] lstrlenW (lpString=".ai5") returned 4 [0047.369] lstrcmpiW (lpString1=".ai5", lpString2=".ini") returned -1 [0047.369] lstrlenW (lpString=".ai6") returned 4 [0047.369] lstrcmpiW (lpString1=".ai6", lpString2=".ini") returned -1 [0047.369] lstrlenW (lpString=".ai7") returned 4 [0047.369] lstrcmpiW (lpString1=".ai7", lpString2=".ini") returned -1 [0047.369] lstrlenW (lpString=".ai8") returned 4 [0047.369] lstrcmpiW (lpString1=".ai8", lpString2=".ini") returned -1 [0047.369] lstrlenW (lpString=".anim") returned 5 [0047.369] lstrcmpiW (lpString1=".anim", lpString2="p.ini") returned -1 [0047.369] lstrlenW (lpString=".arw") returned 4 [0047.369] lstrcmpiW (lpString1=".arw", lpString2=".ini") returned -1 [0047.369] lstrlenW (lpString=".as") returned 3 [0047.370] lstrcmpiW (lpString1=".as", lpString2="ini") returned -1 [0047.370] lstrlenW (lpString=".asa") returned 4 [0047.370] lstrcmpiW (lpString1=".asa", lpString2=".ini") returned -1 [0047.370] lstrlenW (lpString=".asc") returned 4 [0047.370] lstrcmpiW (lpString1=".asc", lpString2=".ini") returned -1 [0047.370] lstrlenW (lpString=".ascx") returned 5 [0047.370] lstrcmpiW (lpString1=".ascx", lpString2="p.ini") returned -1 [0047.370] lstrlenW (lpString=".asm") returned 4 [0047.370] lstrcmpiW (lpString1=".asm", lpString2=".ini") returned -1 [0047.370] lstrlenW (lpString=".asmx") returned 5 [0047.370] lstrcmpiW (lpString1=".asmx", lpString2="p.ini") returned -1 [0047.370] lstrlenW (lpString=".asp") returned 4 [0047.370] lstrcmpiW (lpString1=".asp", lpString2=".ini") returned -1 [0047.370] lstrlenW (lpString=".aspx") returned 5 [0047.370] lstrcmpiW (lpString1=".aspx", lpString2="p.ini") returned -1 [0047.370] lstrlenW (lpString=".asr") returned 4 [0047.370] lstrcmpiW (lpString1=".asr", lpString2=".ini") returned -1 [0047.370] lstrlenW (lpString=".asx") returned 4 [0047.370] lstrcmpiW (lpString1=".asx", lpString2=".ini") returned -1 [0047.370] lstrlenW (lpString=".avi") returned 4 [0047.370] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0047.370] lstrlenW (lpString=".avs") returned 4 [0047.370] lstrcmpiW (lpString1=".avs", lpString2=".ini") returned -1 [0047.370] lstrlenW (lpString=".backup") returned 7 [0047.370] lstrcmpiW (lpString1=".backup", lpString2="top.ini") returned -1 [0047.370] lstrlenW (lpString=".bak") returned 4 [0047.370] lstrcmpiW (lpString1=".bak", lpString2=".ini") returned -1 [0047.370] lstrlenW (lpString=".bay") returned 4 [0047.370] lstrcmpiW (lpString1=".bay", lpString2=".ini") returned -1 [0047.370] lstrlenW (lpString=".bd") returned 3 [0047.370] lstrcmpiW (lpString1=".bd", lpString2="ini") returned -1 [0047.370] lstrlenW (lpString=".bin") returned 4 [0047.370] lstrcmpiW (lpString1=".bin", lpString2=".ini") returned -1 [0047.370] lstrlenW (lpString=".bmp") returned 4 [0047.370] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0047.370] lstrlenW (lpString=".bz2") returned 4 [0047.371] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0047.371] lstrlenW (lpString=".c") returned 2 [0047.371] lstrcmpiW (lpString1=".c", lpString2="ni") returned -1 [0047.371] lstrlenW (lpString=".cdr") returned 4 [0047.371] lstrcmpiW (lpString1=".cdr", lpString2=".ini") returned -1 [0047.371] lstrlenW (lpString=".cer") returned 4 [0047.371] lstrcmpiW (lpString1=".cer", lpString2=".ini") returned -1 [0047.371] lstrlenW (lpString=".cf") returned 3 [0047.371] lstrcmpiW (lpString1=".cf", lpString2="ini") returned -1 [0047.371] lstrlenW (lpString=".cfc") returned 4 [0047.371] lstrcmpiW (lpString1=".cfc", lpString2=".ini") returned -1 [0047.371] lstrlenW (lpString=".cfm") returned 4 [0047.371] lstrcmpiW (lpString1=".cfm", lpString2=".ini") returned -1 [0047.371] lstrlenW (lpString=".cfml") returned 5 [0047.371] lstrcmpiW (lpString1=".cfml", lpString2="p.ini") returned -1 [0047.371] lstrlenW (lpString=".cfu") returned 4 [0047.371] lstrcmpiW (lpString1=".cfu", lpString2=".ini") returned -1 [0047.371] lstrlenW (lpString=".chm") returned 4 [0047.371] lstrcmpiW (lpString1=".chm", lpString2=".ini") returned -1 [0047.371] lstrlenW (lpString=".cin") returned 4 [0047.371] lstrcmpiW (lpString1=".cin", lpString2=".ini") returned -1 [0047.371] lstrlenW (lpString=".class") returned 6 [0047.371] lstrcmpiW (lpString1=".class", lpString2="op.ini") returned -1 [0047.371] lstrlenW (lpString=".clx") returned 4 [0047.372] lstrcmpiW (lpString1=".clx", lpString2=".ini") returned -1 [0047.372] lstrlenW (lpString=".config") returned 7 [0047.372] lstrcmpiW (lpString1=".config", lpString2="top.ini") returned -1 [0047.372] lstrlenW (lpString=".cpp") returned 4 [0047.372] lstrcmpiW (lpString1=".cpp", lpString2=".ini") returned -1 [0047.372] lstrlenW (lpString=".cr2") returned 4 [0047.372] lstrcmpiW (lpString1=".cr2", lpString2=".ini") returned -1 [0047.372] lstrlenW (lpString=".crt") returned 4 [0047.372] lstrcmpiW (lpString1=".crt", lpString2=".ini") returned -1 [0047.372] lstrlenW (lpString=".crw") returned 4 [0047.372] lstrcmpiW (lpString1=".crw", lpString2=".ini") returned -1 [0047.372] lstrlenW (lpString=".cs") returned 3 [0047.372] lstrcmpiW (lpString1=".cs", lpString2="ini") returned -1 [0047.372] lstrlenW (lpString=".css") returned 4 [0047.372] lstrcmpiW (lpString1=".css", lpString2=".ini") returned -1 [0047.372] lstrlenW (lpString=".csv") returned 4 [0047.372] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0047.372] lstrlenW (lpString=".cub") returned 4 [0047.372] lstrcmpiW (lpString1=".cub", lpString2=".ini") returned -1 [0047.372] lstrlenW (lpString=".dae") returned 4 [0047.372] lstrcmpiW (lpString1=".dae", lpString2=".ini") returned -1 [0047.372] lstrlenW (lpString=".dat") returned 4 [0047.372] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0047.372] lstrlenW (lpString=".db") returned 3 [0047.372] lstrcmpiW (lpString1=".db", lpString2="ini") returned -1 [0047.372] lstrlenW (lpString=".dbf") returned 4 [0047.372] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0047.372] lstrlenW (lpString=".dbx") returned 4 [0047.372] lstrcmpiW (lpString1=".dbx", lpString2=".ini") returned -1 [0047.373] lstrlenW (lpString=".dc3") returned 4 [0047.373] lstrcmpiW (lpString1=".dc3", lpString2=".ini") returned -1 [0047.373] lstrlenW (lpString=".dcm") returned 4 [0047.373] lstrcmpiW (lpString1=".dcm", lpString2=".ini") returned -1 [0047.373] lstrlenW (lpString=".dcr") returned 4 [0047.373] lstrcmpiW (lpString1=".dcr", lpString2=".ini") returned -1 [0047.373] lstrlenW (lpString=".der") returned 4 [0047.373] lstrcmpiW (lpString1=".der", lpString2=".ini") returned -1 [0047.373] lstrlenW (lpString=".dib") returned 4 [0047.373] lstrcmpiW (lpString1=".dib", lpString2=".ini") returned -1 [0047.373] lstrlenW (lpString=".dic") returned 4 [0047.373] lstrcmpiW (lpString1=".dic", lpString2=".ini") returned -1 [0047.373] lstrlenW (lpString=".dif") returned 4 [0047.373] lstrcmpiW (lpString1=".dif", lpString2=".ini") returned -1 [0047.373] lstrlenW (lpString=".divx") returned 5 [0047.373] lstrcmpiW (lpString1=".divx", lpString2="p.ini") returned -1 [0047.373] lstrlenW (lpString=".djvu") returned 5 [0047.373] lstrcmpiW (lpString1=".djvu", lpString2="p.ini") returned -1 [0047.373] lstrlenW (lpString=".dng") returned 4 [0047.373] lstrcmpiW (lpString1=".dng", lpString2=".ini") returned -1 [0047.373] lstrlenW (lpString=".doc") returned 4 [0047.373] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0047.373] lstrlenW (lpString=".docm") returned 5 [0047.373] lstrcmpiW (lpString1=".docm", lpString2="p.ini") returned -1 [0047.373] lstrlenW (lpString=".docx") returned 5 [0047.373] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0047.373] lstrlenW (lpString=".dot") returned 4 [0047.373] lstrcmpiW (lpString1=".dot", lpString2=".ini") returned -1 [0047.373] lstrlenW (lpString=".dotm") returned 5 [0047.374] lstrcmpiW (lpString1=".dotm", lpString2="p.ini") returned -1 [0047.374] lstrlenW (lpString=".dotx") returned 5 [0047.374] lstrcmpiW (lpString1=".dotx", lpString2="p.ini") returned -1 [0047.374] lstrlenW (lpString=".dpx") returned 4 [0047.374] lstrcmpiW (lpString1=".dpx", lpString2=".ini") returned -1 [0047.374] lstrlenW (lpString=".dqy") returned 4 [0047.374] lstrcmpiW (lpString1=".dqy", lpString2=".ini") returned -1 [0047.374] lstrlenW (lpString=".dsn") returned 4 [0047.374] lstrcmpiW (lpString1=".dsn", lpString2=".ini") returned -1 [0047.374] lstrlenW (lpString=".dt") returned 3 [0047.374] lstrcmpiW (lpString1=".dt", lpString2="ini") returned -1 [0047.374] lstrlenW (lpString=".dtd") returned 4 [0047.374] lstrcmpiW (lpString1=".dtd", lpString2=".ini") returned -1 [0047.374] lstrlenW (lpString=".dwg") returned 4 [0047.374] lstrcmpiW (lpString1=".dwg", lpString2=".ini") returned -1 [0047.374] lstrlenW (lpString=".dwt") returned 4 [0047.374] lstrcmpiW (lpString1=".dwt", lpString2=".ini") returned -1 [0047.374] lstrlenW (lpString=".dx") returned 3 [0047.374] lstrcmpiW (lpString1=".dx", lpString2="ini") returned -1 [0047.374] lstrlenW (lpString=".dxf") returned 4 [0047.374] lstrcmpiW (lpString1=".dxf", lpString2=".ini") returned -1 [0047.374] lstrlenW (lpString=".edml") returned 5 [0047.374] lstrcmpiW (lpString1=".edml", lpString2="p.ini") returned -1 [0047.374] lstrlenW (lpString=".efd") returned 4 [0047.374] lstrcmpiW (lpString1=".efd", lpString2=".ini") returned -1 [0047.374] lstrlenW (lpString=".elf") returned 4 [0047.374] lstrcmpiW (lpString1=".elf", lpString2=".ini") returned -1 [0047.375] lstrlenW (lpString=".emf") returned 4 [0047.375] lstrcmpiW (lpString1=".emf", lpString2=".ini") returned -1 [0047.375] lstrlenW (lpString=".emz") returned 4 [0047.375] lstrcmpiW (lpString1=".emz", lpString2=".ini") returned -1 [0047.375] lstrlenW (lpString=".epf") returned 4 [0047.375] lstrcmpiW (lpString1=".epf", lpString2=".ini") returned -1 [0047.375] lstrlenW (lpString=".eps") returned 4 [0047.375] lstrcmpiW (lpString1=".eps", lpString2=".ini") returned -1 [0047.375] lstrlenW (lpString=".epsf") returned 5 [0047.375] lstrcmpiW (lpString1=".epsf", lpString2="p.ini") returned -1 [0047.375] lstrlenW (lpString=".epsp") returned 5 [0047.375] lstrcmpiW (lpString1=".epsp", lpString2="p.ini") returned -1 [0047.375] lstrlenW (lpString=".erf") returned 4 [0047.375] lstrcmpiW (lpString1=".erf", lpString2=".ini") returned -1 [0047.375] lstrlenW (lpString=".exr") returned 4 [0047.375] lstrcmpiW (lpString1=".exr", lpString2=".ini") returned -1 [0047.375] lstrlenW (lpString=".f4v") returned 4 [0047.375] lstrcmpiW (lpString1=".f4v", lpString2=".ini") returned -1 [0047.375] lstrlenW (lpString=".fido") returned 5 [0047.375] lstrcmpiW (lpString1=".fido", lpString2="p.ini") returned -1 [0047.375] lstrlenW (lpString=".flm") returned 4 [0047.375] lstrcmpiW (lpString1=".flm", lpString2=".ini") returned -1 [0047.375] lstrlenW (lpString=".flv") returned 4 [0047.375] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0047.375] lstrlenW (lpString=".frm") returned 4 [0047.375] lstrcmpiW (lpString1=".frm", lpString2=".ini") returned -1 [0047.375] lstrlenW (lpString=".fxg") returned 4 [0047.375] lstrcmpiW (lpString1=".fxg", lpString2=".ini") returned -1 [0047.376] lstrlenW (lpString=".geo") returned 4 [0047.376] lstrcmpiW (lpString1=".geo", lpString2=".ini") returned -1 [0047.376] lstrlenW (lpString=".gif") returned 4 [0047.376] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0047.376] lstrlenW (lpString=".grs") returned 4 [0047.376] lstrcmpiW (lpString1=".grs", lpString2=".ini") returned -1 [0047.376] lstrlenW (lpString=".gz") returned 3 [0047.376] lstrcmpiW (lpString1=".gz", lpString2="ini") returned -1 [0047.376] lstrlenW (lpString=".h") returned 2 [0047.376] lstrcmpiW (lpString1=".h", lpString2="ni") returned -1 [0047.376] lstrlenW (lpString=".hdr") returned 4 [0047.376] lstrcmpiW (lpString1=".hdr", lpString2=".ini") returned -1 [0047.376] lstrlenW (lpString=".hpp") returned 4 [0047.376] lstrcmpiW (lpString1=".hpp", lpString2=".ini") returned -1 [0047.376] lstrlenW (lpString=".hta") returned 4 [0047.376] lstrcmpiW (lpString1=".hta", lpString2=".ini") returned -1 [0047.376] lstrlenW (lpString=".htc") returned 4 [0047.376] lstrcmpiW (lpString1=".htc", lpString2=".ini") returned -1 [0047.376] lstrlenW (lpString=".htm") returned 4 [0047.376] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0047.376] lstrlenW (lpString=".html") returned 5 [0047.376] lstrcmpiW (lpString1=".html", lpString2="p.ini") returned -1 [0047.376] lstrlenW (lpString=".icb") returned 4 [0047.376] lstrcmpiW (lpString1=".icb", lpString2=".ini") returned -1 [0047.376] lstrlenW (lpString=".ics") returned 4 [0047.376] lstrcmpiW (lpString1=".ics", lpString2=".ini") returned -1 [0047.376] lstrlenW (lpString=".iff") returned 4 [0047.376] lstrcmpiW (lpString1=".iff", lpString2=".ini") returned -1 [0047.377] lstrlenW (lpString=".inc") returned 4 [0047.377] lstrcmpiW (lpString1=".inc", lpString2=".ini") returned -1 [0047.377] lstrlenW (lpString=".indd") returned 5 [0047.377] lstrcmpiW (lpString1=".indd", lpString2="p.ini") returned -1 [0047.377] lstrlenW (lpString=".ini") returned 4 [0047.377] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0047.377] lstrlenW (lpString="desktop.ini") returned 11 [0047.377] lstrlenW (lpString=".bmd") returned 4 [0047.377] lstrcmpiW (lpString1=".bmd", lpString2=".ini") returned -1 [0047.377] lstrlenW (lpString="desktop.ini") returned 11 [0047.377] lstrcmpiW (lpString1="boot.ini", lpString2="desktop.ini") returned -1 [0047.377] lstrcmpiW (lpString1="bootfont.bin", lpString2="desktop.ini") returned -1 [0047.377] lstrcmpiW (lpString1="ntldr", lpString2="desktop.ini") returned 1 [0047.377] lstrcmpiW (lpString1="ntdetect.com", lpString2="desktop.ini") returned 1 [0047.377] lstrcmpiW (lpString1="io.sys", lpString2="desktop.ini") returned 1 [0047.377] lstrcmpiW (lpString1="FILES ENCRYPTED.txt", lpString2="desktop.ini") returned 1 [0047.377] lstrcmpiW (lpString1="Info.hta", lpString2="desktop.ini") returned 1 [0047.377] lstrcmpiW (lpString1="winhost.exe", lpString2="desktop.ini") returned 1 [0047.377] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0047.377] FindNextFileW (in: hFindFile=0x680588, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0047.377] FindClose (in: hFindFile=0x680588 | out: hFindFile=0x680588) returned 1 [0047.378] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x38a1070 | out: hHeap=0x5f0000) returned 1 [0047.378] FindNextFileW (in: hFindFile=0x680870, lpFindFileData=0x302fa84 | out: lpFindFileData=0x302fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 0 [0047.378] FindClose (in: hFindFile=0x680870 | out: hFindFile=0x680870) returned 1 [0047.378] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3890060 | out: hHeap=0x5f0000) returned 1 [0047.378] FindNextFileW (in: hFindFile=0x680830, lpFindFileData=0x302fd00 | out: lpFindFileData=0x302fd00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0047.378] lstrlenW (lpString="C:\\Boot") returned 7 [0047.378] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\Boot") returned 1 [0047.378] lstrlenW (lpString="Boot") returned 4 [0047.378] lstrcmpiW (lpString1="C:\\Windows", lpString2="Boot") returned 1 [0047.378] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3890060 [0047.378] lstrlenW (lpString="C:\\Boot") returned 7 [0047.378] FindFirstFileW (in: lpFileName="C:\\Boot\\*", lpFindFileData=0x302fa84 | out: lpFindFileData=0x302fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x680870 [0047.379] FindNextFileW (in: hFindFile=0x680870, lpFindFileData=0x302fa84 | out: lpFindFileData=0x302fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.379] FindNextFileW (in: hFindFile=0x680870, lpFindFileData=0x302fa84 | out: lpFindFileData=0x302fa84*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac2e8a60, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x90cd45e0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x90cd45e0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD", cAlternateFileName="")) returned 1 [0047.379] lstrlenW (lpString="BCD") returned 3 [0047.379] lstrlenW (lpString=".1cd") returned 4 [0047.379] lstrcmpiW (lpString1=".1cd", lpString2="") returned 1 [0047.379] lstrlenW (lpString=".3ds") returned 4 [0047.379] lstrcmpiW (lpString1=".3ds", lpString2="") returned 1 [0047.379] lstrlenW (lpString=".3fr") returned 4 [0047.379] lstrcmpiW (lpString1=".3fr", lpString2="") returned 1 [0047.379] lstrlenW (lpString=".3g2") returned 4 [0047.379] lstrcmpiW (lpString1=".3g2", lpString2="") returned 1 [0047.379] lstrlenW (lpString=".3gp") returned 4 [0047.379] lstrcmpiW (lpString1=".3gp", lpString2="") returned 1 [0047.379] lstrlenW (lpString=".7z") returned 3 [0047.379] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0047.379] lstrlenW (lpString=".accda") returned 6 [0047.379] lstrcmpiW (lpString1=".accda", lpString2="") returned 1 [0047.379] lstrlenW (lpString=".accdb") returned 6 [0047.379] lstrcmpiW (lpString1=".accdb", lpString2="") returned 1 [0047.379] lstrlenW (lpString=".accdc") returned 6 [0047.379] lstrcmpiW (lpString1=".accdc", lpString2="") returned 1 [0047.379] lstrlenW (lpString=".accde") returned 6 [0047.379] lstrcmpiW (lpString1=".accde", lpString2="") returned 1 [0047.380] lstrlenW (lpString=".accdt") returned 6 [0047.380] lstrcmpiW (lpString1=".accdt", lpString2="") returned 1 [0047.380] lstrlenW (lpString=".accdw") returned 6 [0047.380] lstrcmpiW (lpString1=".accdw", lpString2="") returned 1 [0047.380] lstrlenW (lpString=".adb") returned 4 [0047.380] lstrcmpiW (lpString1=".adb", lpString2="") returned 1 [0047.380] lstrlenW (lpString=".adp") returned 4 [0047.380] lstrcmpiW (lpString1=".adp", lpString2="") returned 1 [0047.380] lstrlenW (lpString=".ai") returned 3 [0047.380] lstrcmpiW (lpString1=".ai", lpString2="BCD") returned -1 [0047.380] lstrlenW (lpString=".ai3") returned 4 [0047.380] lstrcmpiW (lpString1=".ai3", lpString2="") returned 1 [0047.380] lstrlenW (lpString=".ai4") returned 4 [0047.380] lstrcmpiW (lpString1=".ai4", lpString2="") returned 1 [0047.380] lstrlenW (lpString=".ai5") returned 4 [0047.380] lstrcmpiW (lpString1=".ai5", lpString2="") returned 1 [0047.380] lstrlenW (lpString=".ai6") returned 4 [0047.380] lstrcmpiW (lpString1=".ai6", lpString2="") returned 1 [0047.380] lstrlenW (lpString=".ai7") returned 4 [0047.380] lstrcmpiW (lpString1=".ai7", lpString2="") returned 1 [0047.380] lstrlenW (lpString=".ai8") returned 4 [0047.380] lstrcmpiW (lpString1=".ai8", lpString2="") returned 1 [0047.380] lstrlenW (lpString=".anim") returned 5 [0047.380] lstrcmpiW (lpString1=".anim", lpString2="") returned 1 [0047.380] lstrlenW (lpString=".arw") returned 4 [0047.380] lstrcmpiW (lpString1=".arw", lpString2="") returned 1 [0047.380] lstrlenW (lpString=".as") returned 3 [0047.380] lstrcmpiW (lpString1=".as", lpString2="BCD") returned -1 [0047.380] lstrlenW (lpString=".asa") returned 4 [0047.381] lstrcmpiW (lpString1=".asa", lpString2="") returned 1 [0047.381] lstrlenW (lpString=".asc") returned 4 [0047.381] lstrcmpiW (lpString1=".asc", lpString2="") returned 1 [0047.381] lstrlenW (lpString=".ascx") returned 5 [0047.381] lstrcmpiW (lpString1=".ascx", lpString2="") returned 1 [0047.381] lstrlenW (lpString=".asm") returned 4 [0047.381] lstrcmpiW (lpString1=".asm", lpString2="") returned 1 [0047.381] lstrlenW (lpString=".asmx") returned 5 [0047.381] lstrcmpiW (lpString1=".asmx", lpString2="") returned 1 [0047.381] lstrlenW (lpString=".asp") returned 4 [0047.381] lstrcmpiW (lpString1=".asp", lpString2="") returned 1 [0047.381] lstrlenW (lpString=".aspx") returned 5 [0047.381] lstrcmpiW (lpString1=".aspx", lpString2="") returned 1 [0047.381] lstrlenW (lpString=".asr") returned 4 [0047.381] lstrcmpiW (lpString1=".asr", lpString2="") returned 1 [0047.381] lstrlenW (lpString=".asx") returned 4 [0047.381] lstrcmpiW (lpString1=".asx", lpString2="") returned 1 [0047.381] lstrlenW (lpString=".avi") returned 4 [0047.381] lstrcmpiW (lpString1=".avi", lpString2="") returned 1 [0047.381] lstrlenW (lpString=".avs") returned 4 [0047.381] lstrcmpiW (lpString1=".avs", lpString2="") returned 1 [0047.381] lstrlenW (lpString=".backup") returned 7 [0047.381] lstrcmpiW (lpString1=".backup", lpString2="") returned 1 [0047.381] lstrlenW (lpString=".bak") returned 4 [0047.381] lstrcmpiW (lpString1=".bak", lpString2="") returned 1 [0047.381] lstrlenW (lpString=".bay") returned 4 [0047.381] lstrcmpiW (lpString1=".bay", lpString2="") returned 1 [0047.381] lstrlenW (lpString=".bd") returned 3 [0047.382] lstrcmpiW (lpString1=".bd", lpString2="BCD") returned -1 [0047.382] lstrlenW (lpString=".bin") returned 4 [0047.382] lstrcmpiW (lpString1=".bin", lpString2="") returned 1 [0047.382] lstrlenW (lpString=".bmp") returned 4 [0047.382] lstrcmpiW (lpString1=".bmp", lpString2="") returned 1 [0047.382] lstrlenW (lpString=".bz2") returned 4 [0047.382] lstrcmpiW (lpString1=".bz2", lpString2="") returned 1 [0047.382] lstrlenW (lpString=".c") returned 2 [0047.382] lstrcmpiW (lpString1=".c", lpString2="CD") returned -1 [0047.382] lstrlenW (lpString=".cdr") returned 4 [0047.382] lstrcmpiW (lpString1=".cdr", lpString2="") returned 1 [0047.382] lstrlenW (lpString=".cer") returned 4 [0047.382] lstrcmpiW (lpString1=".cer", lpString2="") returned 1 [0047.382] lstrlenW (lpString=".cf") returned 3 [0047.382] lstrcmpiW (lpString1=".cf", lpString2="BCD") returned -1 [0047.382] lstrlenW (lpString=".cfc") returned 4 [0047.382] lstrcmpiW (lpString1=".cfc", lpString2="") returned 1 [0047.382] lstrlenW (lpString=".cfm") returned 4 [0047.382] lstrcmpiW (lpString1=".cfm", lpString2="") returned 1 [0047.382] lstrlenW (lpString=".cfml") returned 5 [0047.382] lstrcmpiW (lpString1=".cfml", lpString2="") returned 1 [0047.382] lstrlenW (lpString=".cfu") returned 4 [0047.382] lstrcmpiW (lpString1=".cfu", lpString2="") returned 1 [0047.382] lstrlenW (lpString=".chm") returned 4 [0047.382] lstrcmpiW (lpString1=".chm", lpString2="") returned 1 [0047.382] lstrlenW (lpString=".cin") returned 4 [0047.382] lstrcmpiW (lpString1=".cin", lpString2="") returned 1 [0047.382] lstrlenW (lpString=".class") returned 6 [0047.382] lstrcmpiW (lpString1=".class", lpString2="") returned 1 [0047.383] lstrlenW (lpString=".clx") returned 4 [0047.383] lstrcmpiW (lpString1=".clx", lpString2="") returned 1 [0047.383] lstrlenW (lpString=".config") returned 7 [0047.383] lstrcmpiW (lpString1=".config", lpString2="") returned 1 [0047.383] lstrlenW (lpString=".cpp") returned 4 [0047.383] lstrcmpiW (lpString1=".cpp", lpString2="") returned 1 [0047.383] lstrlenW (lpString=".cr2") returned 4 [0047.383] lstrcmpiW (lpString1=".cr2", lpString2="") returned 1 [0047.383] lstrlenW (lpString=".crt") returned 4 [0047.383] lstrcmpiW (lpString1=".crt", lpString2="") returned 1 [0047.383] lstrlenW (lpString=".crw") returned 4 [0047.383] lstrcmpiW (lpString1=".crw", lpString2="") returned 1 [0047.383] lstrlenW (lpString=".cs") returned 3 [0047.383] lstrcmpiW (lpString1=".cs", lpString2="BCD") returned -1 [0047.383] lstrlenW (lpString=".css") returned 4 [0047.383] lstrcmpiW (lpString1=".css", lpString2="") returned 1 [0047.383] lstrlenW (lpString=".csv") returned 4 [0047.383] lstrcmpiW (lpString1=".csv", lpString2="") returned 1 [0047.383] lstrlenW (lpString=".cub") returned 4 [0047.383] lstrcmpiW (lpString1=".cub", lpString2="") returned 1 [0047.383] lstrlenW (lpString=".dae") returned 4 [0047.383] lstrcmpiW (lpString1=".dae", lpString2="") returned 1 [0047.383] lstrlenW (lpString=".dat") returned 4 [0047.383] lstrcmpiW (lpString1=".dat", lpString2="") returned 1 [0047.383] lstrlenW (lpString=".db") returned 3 [0047.383] lstrcmpiW (lpString1=".db", lpString2="BCD") returned -1 [0047.383] lstrlenW (lpString=".dbf") returned 4 [0047.383] lstrcmpiW (lpString1=".dbf", lpString2="") returned 1 [0047.383] lstrlenW (lpString=".dbx") returned 4 [0047.383] lstrcmpiW (lpString1=".dbx", lpString2="") returned 1 [0047.383] lstrlenW (lpString=".dc3") returned 4 [0047.383] lstrcmpiW (lpString1=".dc3", lpString2="") returned 1 [0047.384] lstrlenW (lpString=".dcm") returned 4 [0047.384] lstrcmpiW (lpString1=".dcm", lpString2="") returned 1 [0047.384] lstrlenW (lpString=".dcr") returned 4 [0047.384] lstrcmpiW (lpString1=".dcr", lpString2="") returned 1 [0047.384] lstrlenW (lpString=".der") returned 4 [0047.384] lstrcmpiW (lpString1=".der", lpString2="") returned 1 [0047.384] lstrlenW (lpString=".dib") returned 4 [0047.384] lstrcmpiW (lpString1=".dib", lpString2="") returned 1 [0047.384] lstrlenW (lpString=".dic") returned 4 [0047.384] lstrcmpiW (lpString1=".dic", lpString2="") returned 1 [0047.384] lstrlenW (lpString=".dif") returned 4 [0047.384] lstrcmpiW (lpString1=".dif", lpString2="") returned 1 [0047.384] lstrlenW (lpString=".divx") returned 5 [0047.384] lstrcmpiW (lpString1=".divx", lpString2="") returned 1 [0047.384] lstrlenW (lpString=".djvu") returned 5 [0047.384] lstrcmpiW (lpString1=".djvu", lpString2="") returned 1 [0047.384] lstrlenW (lpString=".dng") returned 4 [0047.384] lstrcmpiW (lpString1=".dng", lpString2="") returned 1 [0047.384] lstrlenW (lpString=".doc") returned 4 [0047.384] lstrcmpiW (lpString1=".doc", lpString2="") returned 1 [0047.384] lstrlenW (lpString=".docm") returned 5 [0047.384] lstrcmpiW (lpString1=".docm", lpString2="") returned 1 [0047.384] lstrlenW (lpString=".docx") returned 5 [0047.384] lstrcmpiW (lpString1=".docx", lpString2="") returned 1 [0047.384] lstrlenW (lpString=".dot") returned 4 [0047.384] lstrcmpiW (lpString1=".dot", lpString2="") returned 1 [0047.384] lstrlenW (lpString=".dotm") returned 5 [0047.384] lstrcmpiW (lpString1=".dotm", lpString2="") returned 1 [0047.384] lstrlenW (lpString=".dotx") returned 5 [0047.385] lstrcmpiW (lpString1=".dotx", lpString2="") returned 1 [0047.385] lstrlenW (lpString=".dpx") returned 4 [0047.385] lstrcmpiW (lpString1=".dpx", lpString2="") returned 1 [0047.385] lstrlenW (lpString=".dqy") returned 4 [0047.385] lstrcmpiW (lpString1=".dqy", lpString2="") returned 1 [0047.385] lstrlenW (lpString=".dsn") returned 4 [0047.385] lstrcmpiW (lpString1=".dsn", lpString2="") returned 1 [0047.385] lstrlenW (lpString=".dt") returned 3 [0047.385] lstrcmpiW (lpString1=".dt", lpString2="BCD") returned -1 [0047.385] lstrlenW (lpString=".dtd") returned 4 [0047.385] lstrcmpiW (lpString1=".dtd", lpString2="") returned 1 [0047.385] lstrlenW (lpString=".dwg") returned 4 [0047.385] lstrcmpiW (lpString1=".dwg", lpString2="") returned 1 [0047.385] lstrlenW (lpString=".dwt") returned 4 [0047.385] lstrcmpiW (lpString1=".dwt", lpString2="") returned 1 [0047.385] lstrlenW (lpString=".dx") returned 3 [0047.385] lstrcmpiW (lpString1=".dx", lpString2="BCD") returned -1 [0047.385] lstrlenW (lpString=".dxf") returned 4 [0047.385] lstrcmpiW (lpString1=".dxf", lpString2="") returned 1 [0047.385] lstrlenW (lpString=".edml") returned 5 [0047.385] lstrcmpiW (lpString1=".edml", lpString2="") returned 1 [0047.385] lstrlenW (lpString=".efd") returned 4 [0047.385] lstrcmpiW (lpString1=".efd", lpString2="") returned 1 [0047.385] lstrlenW (lpString=".elf") returned 4 [0047.385] lstrcmpiW (lpString1=".elf", lpString2="") returned 1 [0047.385] lstrlenW (lpString=".emf") returned 4 [0047.385] lstrcmpiW (lpString1=".emf", lpString2="") returned 1 [0047.385] lstrlenW (lpString=".emz") returned 4 [0047.385] lstrcmpiW (lpString1=".emz", lpString2="") returned 1 [0047.386] lstrlenW (lpString=".epf") returned 4 [0047.386] lstrcmpiW (lpString1=".epf", lpString2="") returned 1 [0047.386] lstrlenW (lpString=".eps") returned 4 [0047.386] lstrcmpiW (lpString1=".eps", lpString2="") returned 1 [0047.386] lstrlenW (lpString=".epsf") returned 5 [0047.386] lstrcmpiW (lpString1=".epsf", lpString2="") returned 1 [0047.386] lstrlenW (lpString=".epsp") returned 5 [0047.386] lstrcmpiW (lpString1=".epsp", lpString2="") returned 1 [0047.386] lstrlenW (lpString=".erf") returned 4 [0047.386] lstrcmpiW (lpString1=".erf", lpString2="") returned 1 [0047.386] lstrlenW (lpString=".exr") returned 4 [0047.386] lstrcmpiW (lpString1=".exr", lpString2="") returned 1 [0047.386] lstrlenW (lpString=".f4v") returned 4 [0047.386] lstrcmpiW (lpString1=".f4v", lpString2="") returned 1 [0047.386] lstrlenW (lpString=".fido") returned 5 [0047.386] lstrcmpiW (lpString1=".fido", lpString2="") returned 1 [0047.386] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x38a0068 [0047.387] FindFirstFileW (in: lpFileName="C:\\Boot\\cs-CZ\\*", lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x680588 [0047.389] FindNextFileW (in: hFindFile=0x680588, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.389] FindNextFileW (in: hFindFile=0x680588, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c50, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0047.390] FindClose (in: hFindFile=0x680588 | out: hFindFile=0x680588) returned 1 [0047.394] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x38a0068 | out: hHeap=0x5f0000) returned 1 [0047.394] FindNextFileW (in: hFindFile=0x680870, lpFindFileData=0x302fa84 | out: lpFindFileData=0x302fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da-DK", cAlternateFileName="")) returned 1 [0047.394] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x38a0068 [0047.394] FindFirstFileW (in: lpFileName="C:\\Boot\\da-DK\\*", lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x680588 [0047.395] FindNextFileW (in: hFindFile=0x680588, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.395] FindNextFileW (in: hFindFile=0x680588, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0047.395] FindClose (in: hFindFile=0x680588 | out: hFindFile=0x680588) returned 1 [0047.395] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x38a0068 | out: hHeap=0x5f0000) returned 1 [0047.395] FindNextFileW (in: hFindFile=0x680870, lpFindFileData=0x302fa84 | out: lpFindFileData=0x302fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-DE", cAlternateFileName="")) returned 1 [0047.395] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x38a0068 [0047.395] FindFirstFileW (in: lpFileName="C:\\Boot\\de-DE\\*", lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x680588 [0047.522] FindNextFileW (in: hFindFile=0x680588, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.522] FindNextFileW (in: hFindFile=0x680588, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8132526, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0047.522] FindClose (in: hFindFile=0x680588 | out: hFindFile=0x680588) returned 1 [0047.522] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x38a0068 | out: hHeap=0x5f0000) returned 1 [0047.522] FindNextFileW (in: hFindFile=0x680870, lpFindFileData=0x302fa84 | out: lpFindFileData=0x302fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="el-GR", cAlternateFileName="")) returned 1 [0047.522] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x38a0068 [0047.522] FindFirstFileW (in: lpFileName="C:\\Boot\\el-GR\\*", lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x680588 [0047.523] FindNextFileW (in: hFindFile=0x680588, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.523] FindNextFileW (in: hFindFile=0x680588, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea239054, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x17250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0047.523] FindClose (in: hFindFile=0x680588 | out: hFindFile=0x680588) returned 1 [0047.523] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x38a0068 | out: hHeap=0x5f0000) returned 1 [0047.523] FindNextFileW (in: hFindFile=0x680870, lpFindFileData=0x302fa84 | out: lpFindFileData=0x302fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0047.523] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x38a0068 [0047.523] FindFirstFileW (in: lpFileName="C:\\Boot\\en-US\\*", lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x680588 [0047.532] FindNextFileW (in: hFindFile=0x680588, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.532] FindNextFileW (in: hFindFile=0x680588, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x14c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0047.533] FindClose (in: hFindFile=0x680588 | out: hFindFile=0x680588) returned 1 [0047.533] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x38a0068 | out: hHeap=0x5f0000) returned 1 [0047.533] FindNextFileW (in: hFindFile=0x680870, lpFindFileData=0x302fa84 | out: lpFindFileData=0x302fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-ES", cAlternateFileName="")) returned 1 [0047.533] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x38a0068 [0047.533] FindFirstFileW (in: lpFileName="C:\\Boot\\es-ES\\*", lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x680588 [0047.539] FindNextFileW (in: hFindFile=0x680588, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.539] FindNextFileW (in: hFindFile=0x680588, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84ea6d7, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0047.539] FindClose (in: hFindFile=0x680588 | out: hFindFile=0x680588) returned 1 [0047.539] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x38a0068 | out: hHeap=0x5f0000) returned 1 [0047.539] FindNextFileW (in: hFindFile=0x680870, lpFindFileData=0x302fa84 | out: lpFindFileData=0x302fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0047.539] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x38a0068 [0047.539] FindFirstFileW (in: lpFileName="C:\\Boot\\fi-FI\\*", lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x680588 [0047.540] FindNextFileW (in: hFindFile=0x680588, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.540] FindNextFileW (in: hFindFile=0x680588, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe836d95d, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0047.540] FindClose (in: hFindFile=0x680588 | out: hFindFile=0x680588) returned 1 [0047.540] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x38a0068 | out: hHeap=0x5f0000) returned 1 [0047.540] FindNextFileW (in: hFindFile=0x680870, lpFindFileData=0x302fa84 | out: lpFindFileData=0x302fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Fonts", cAlternateFileName="")) returned 1 [0047.540] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x38a0068 [0047.540] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\*", lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x680588 [0047.593] FindNextFileW (in: hFindFile=0x680588, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.593] FindNextFileW (in: hFindFile=0x680588, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x64c5ad69, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x385e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="chs_boot.ttf", cAlternateFileName="")) returned 1 [0047.594] FindClose (in: hFindFile=0x680588 | out: hFindFile=0x680588) returned 1 [0047.594] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x38a0068 | out: hHeap=0x5f0000) returned 1 [0047.594] FindNextFileW (in: hFindFile=0x680870, lpFindFileData=0x302fa84 | out: lpFindFileData=0x302fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0047.594] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x38a0068 [0047.594] FindFirstFileW (in: lpFileName="C:\\Boot\\fr-FR\\*", lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x680588 [0047.739] FindNextFileW (in: hFindFile=0x680588, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.739] FindNextFileW (in: hFindFile=0x680588, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe86b3703, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0047.739] FindClose (in: hFindFile=0x680588 | out: hFindFile=0x680588) returned 1 [0047.739] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x38a0068 | out: hHeap=0x5f0000) returned 1 [0047.739] FindNextFileW (in: hFindFile=0x680870, lpFindFileData=0x302fa84 | out: lpFindFileData=0x302fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0047.739] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x38a0068 [0047.739] FindFirstFileW (in: lpFileName="C:\\Boot\\hu-HU\\*", lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x680588 [0047.740] FindNextFileW (in: hFindFile=0x680588, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.740] FindNextFileW (in: hFindFile=0x680588, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe817e7d8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16240, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0047.740] FindClose (in: hFindFile=0x680588 | out: hFindFile=0x680588) returned 1 [0047.740] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x38a0068 | out: hHeap=0x5f0000) returned 1 [0047.740] FindNextFileW (in: hFindFile=0x680870, lpFindFileData=0x302fa84 | out: lpFindFileData=0x302fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it-IT", cAlternateFileName="")) returned 1 [0047.740] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x38a0068 [0047.740] FindFirstFileW (in: lpFileName="C:\\Boot\\it-IT\\*", lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x646ee8 [0047.781] FindNextFileW (in: hFindFile=0x646ee8, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.781] FindNextFileW (in: hFindFile=0x646ee8, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e80ea3, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0047.782] FindClose (in: hFindFile=0x646ee8 | out: hFindFile=0x646ee8) returned 1 [0047.782] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x38a0068 | out: hHeap=0x5f0000) returned 1 [0047.782] FindNextFileW (in: hFindFile=0x680870, lpFindFileData=0x302fa84 | out: lpFindFileData=0x302fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0047.783] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x38a0068 [0047.783] FindFirstFileW (in: lpFileName="C:\\Boot\\ja-JP\\*", lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x646ee8 [0047.783] FindNextFileW (in: hFindFile=0x646ee8, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.783] FindNextFileW (in: hFindFile=0x646ee8, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12a40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0047.783] FindClose (in: hFindFile=0x646ee8 | out: hFindFile=0x646ee8) returned 1 [0047.784] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x38a0068 | out: hHeap=0x5f0000) returned 1 [0047.784] FindNextFileW (in: hFindFile=0x680870, lpFindFileData=0x302fa84 | out: lpFindFileData=0x302fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0047.784] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x38a0068 [0047.784] FindFirstFileW (in: lpFileName="C:\\Boot\\ko-KR\\*", lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x646ee8 [0047.830] FindNextFileW (in: hFindFile=0x646ee8, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.831] FindNextFileW (in: hFindFile=0x646ee8, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8510830, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12650, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0047.831] FindClose (in: hFindFile=0x646ee8 | out: hFindFile=0x646ee8) returned 1 [0047.831] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x38a0068 | out: hHeap=0x5f0000) returned 1 [0047.831] FindNextFileW (in: hFindFile=0x680870, lpFindFileData=0x302fa84 | out: lpFindFileData=0x302fa84*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x8bc7dbfe, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x76980, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe", cAlternateFileName="")) returned 1 [0047.831] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x38a0068 [0047.831] FindFirstFileW (in: lpFileName="C:\\Boot\\nb-NO\\*", lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x646ee8 [0047.832] FindNextFileW (in: hFindFile=0x646ee8, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.832] FindNextFileW (in: hFindFile=0x646ee8, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea212efb, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15850, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0047.832] FindClose (in: hFindFile=0x646ee8 | out: hFindFile=0x646ee8) returned 1 [0047.832] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x38a0068 | out: hHeap=0x5f0000) returned 1 [0047.832] FindNextFileW (in: hFindFile=0x680870, lpFindFileData=0x302fa84 | out: lpFindFileData=0x302fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0047.832] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x38a0068 [0047.832] FindFirstFileW (in: lpFileName="C:\\Boot\\nl-NL\\*", lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x646ee8 [0047.843] FindNextFileW (in: hFindFile=0x646ee8, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.843] FindNextFileW (in: hFindFile=0x646ee8, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84c457e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0047.843] FindClose (in: hFindFile=0x646ee8 | out: hFindFile=0x646ee8) returned 1 [0047.844] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x38a0068 | out: hHeap=0x5f0000) returned 1 [0047.844] FindNextFileW (in: hFindFile=0x680870, lpFindFileData=0x302fa84 | out: lpFindFileData=0x302fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0047.844] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x38a0068 [0047.844] FindFirstFileW (in: lpFileName="C:\\Boot\\pl-PL\\*", lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x646ee8 [0047.844] FindNextFileW (in: hFindFile=0x646ee8, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.844] FindNextFileW (in: hFindFile=0x646ee8, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e5ad4a, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0047.844] FindClose (in: hFindFile=0x646ee8 | out: hFindFile=0x646ee8) returned 1 [0047.845] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x38a0068 | out: hHeap=0x5f0000) returned 1 [0047.845] FindNextFileW (in: hFindFile=0x680870, lpFindFileData=0x302fa84 | out: lpFindFileData=0x302fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0047.845] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x38a0068 [0047.845] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-BR\\*", lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x646ee8 [0047.877] FindNextFileW (in: hFindFile=0x646ee8, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.877] FindNextFileW (in: hFindFile=0x646ee8, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83b9c0f, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16040, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0047.877] FindClose (in: hFindFile=0x646ee8 | out: hFindFile=0x646ee8) returned 1 [0047.877] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x38a0068 | out: hHeap=0x5f0000) returned 1 [0047.877] FindNextFileW (in: hFindFile=0x680870, lpFindFileData=0x302fa84 | out: lpFindFileData=0x302fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0047.877] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x38a0068 [0047.877] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-PT\\*", lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x646ee8 [0047.878] FindNextFileW (in: hFindFile=0x646ee8, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.878] FindNextFileW (in: hFindFile=0x646ee8, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe823ce95, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15e40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0047.878] FindClose (in: hFindFile=0x646ee8 | out: hFindFile=0x646ee8) returned 1 [0047.878] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x38a0068 | out: hHeap=0x5f0000) returned 1 [0047.878] FindNextFileW (in: hFindFile=0x680870, lpFindFileData=0x302fa84 | out: lpFindFileData=0x302fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0047.878] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x38a0068 [0047.878] FindFirstFileW (in: lpFileName="C:\\Boot\\ru-RU\\*", lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x646ee8 [0047.887] FindNextFileW (in: hFindFile=0x646ee8, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.918] FindNextFileW (in: hFindFile=0x646ee8, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0047.918] FindClose (in: hFindFile=0x646ee8 | out: hFindFile=0x646ee8) returned 1 [0047.919] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x38a0068 | out: hHeap=0x5f0000) returned 1 [0047.919] FindNextFileW (in: hFindFile=0x680870, lpFindFileData=0x302fa84 | out: lpFindFileData=0x302fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0047.919] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x38a0068 [0047.919] FindFirstFileW (in: lpFileName="C:\\Boot\\sv-SE\\*", lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x646ee8 [0047.920] FindNextFileW (in: hFindFile=0x646ee8, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.920] FindNextFileW (in: hFindFile=0x646ee8, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0047.920] FindClose (in: hFindFile=0x646ee8 | out: hFindFile=0x646ee8) returned 1 [0047.920] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x38a0068 | out: hHeap=0x5f0000) returned 1 [0047.920] FindNextFileW (in: hFindFile=0x680870, lpFindFileData=0x302fa84 | out: lpFindFileData=0x302fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tr-TR", cAlternateFileName="")) returned 1 [0047.920] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x38a0068 [0047.920] FindFirstFileW (in: lpFileName="C:\\Boot\\tr-TR\\*", lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x646ee8 [0047.921] FindNextFileW (in: hFindFile=0x646ee8, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.921] FindNextFileW (in: hFindFile=0x646ee8, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8393ab6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15440, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0047.922] FindClose (in: hFindFile=0x646ee8 | out: hFindFile=0x646ee8) returned 1 [0047.922] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x38a0068 | out: hHeap=0x5f0000) returned 1 [0047.922] FindNextFileW (in: hFindFile=0x680870, lpFindFileData=0x302fa84 | out: lpFindFileData=0x302fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0047.922] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x38a0068 [0047.922] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-CN\\*", lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x646ee8 [0047.922] FindNextFileW (in: hFindFile=0x646ee8, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.922] FindNextFileW (in: hFindFile=0x646ee8, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8725b0e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11440, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0047.923] FindClose (in: hFindFile=0x646ee8 | out: hFindFile=0x646ee8) returned 1 [0047.923] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x38a0068 | out: hHeap=0x5f0000) returned 1 [0047.923] FindNextFileW (in: hFindFile=0x680870, lpFindFileData=0x302fa84 | out: lpFindFileData=0x302fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-HK", cAlternateFileName="")) returned 1 [0047.923] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x38a0068 [0047.923] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-HK\\*", lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x646ee8 [0047.924] FindNextFileW (in: hFindFile=0x646ee8, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.924] FindNextFileW (in: hFindFile=0x646ee8, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0047.924] FindClose (in: hFindFile=0x646ee8 | out: hFindFile=0x646ee8) returned 1 [0047.924] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x38a0068 | out: hHeap=0x5f0000) returned 1 [0047.924] FindNextFileW (in: hFindFile=0x680870, lpFindFileData=0x302fa84 | out: lpFindFileData=0x302fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0047.924] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x38a0068 [0047.924] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-TW\\*", lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x646ee8 [0047.925] FindNextFileW (in: hFindFile=0x646ee8, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.925] FindNextFileW (in: hFindFile=0x646ee8, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83216ab, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11240, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0047.925] FindClose (in: hFindFile=0x646ee8 | out: hFindFile=0x646ee8) returned 1 [0047.925] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x38a0068 | out: hHeap=0x5f0000) returned 1 [0047.925] FindNextFileW (in: hFindFile=0x680870, lpFindFileData=0x302fa84 | out: lpFindFileData=0x302fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0047.925] FindClose (in: hFindFile=0x680870 | out: hFindFile=0x680870) returned 1 [0047.925] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3890060 | out: hHeap=0x5f0000) returned 1 [0047.925] FindNextFileW (in: hFindFile=0x680830, lpFindFileData=0x302fd00 | out: lpFindFileData=0x302fd00*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x84a3bb2c, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5db2a, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0047.925] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3890060 [0047.925] FindFirstFileW (in: lpFileName="C:\\Config.Msi\\*", lpFindFileData=0x302fa84 | out: lpFindFileData=0x302fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x680870 [0047.926] FindNextFileW (in: hFindFile=0x680870, lpFindFileData=0x302fa84 | out: lpFindFileData=0x302fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.926] FindNextFileW (in: hFindFile=0x680870, lpFindFileData=0x302fa84 | out: lpFindFileData=0x302fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0047.926] FindClose (in: hFindFile=0x680870 | out: hFindFile=0x680870) returned 1 [0047.926] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3890060 | out: hHeap=0x5f0000) returned 1 [0047.926] FindNextFileW (in: hFindFile=0x680830, lpFindFileData=0x302fd00 | out: lpFindFileData=0x302fd00*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0047.926] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3890060 [0047.926] FindFirstFileW (in: lpFileName="C:\\Documents and Settings\\*", lpFindFileData=0x302fa84 | out: lpFindFileData=0x302fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="c\x16")) returned 0xffffffff [0047.927] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3890060 | out: hHeap=0x5f0000) returned 1 [0047.927] FindNextFileW (in: hFindFile=0x680830, lpFindFileData=0x302fd00 | out: lpFindFileData=0x302fd00*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x56257dc0, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x56257dc0, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0xae99ef60, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x5ff9d000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0047.927] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3890060 [0047.927] FindFirstFileW (in: lpFileName="C:\\MSOCache\\*", lpFindFileData=0x302fa84 | out: lpFindFileData=0x302fa84*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x680870 [0047.928] FindNextFileW (in: hFindFile=0x680870, lpFindFileData=0x302fa84 | out: lpFindFileData=0x302fa84*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.928] FindNextFileW (in: hFindFile=0x680870, lpFindFileData=0x302fa84 | out: lpFindFileData=0x302fa84*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0047.928] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x38a0068 [0047.928] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\*", lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x646ee8 [0048.056] FindNextFileW (in: hFindFile=0x646ee8, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.094] FindNextFileW (in: hFindFile=0x646ee8, lpFindFileData=0x302f808 | out: lpFindFileData=0x302f808*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0016-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~3")) returned 1 [0048.094] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x38b0070 [0048.365] FindNextFileW (in: hFindFile=0x680588, lpFindFileData=0x302f58c | out: lpFindFileData=0x302f58c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.365] FindNextFileW (in: hFindFile=0x680588, lpFindFileData=0x302f58c | out: lpFindFileData=0x302f58c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x393df700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x393df700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xed035930, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x102fcbb, dwReserved0=0x0, dwReserved1=0x0, cFileName="ExcelLR.cab", cAlternateFileName="")) returned 1 [0048.795] FindNextFileW (in: hFindFile=0x4011138, lpFindFileData=0x302f58c | out: lpFindFileData=0x302f58c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfe09ced0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x18179b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x18179b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.795] FindNextFileW (in: hFindFile=0x4011138, lpFindFileData=0x302f58c | out: lpFindFileData=0x302f58c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x34ae1a00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x34ae1a00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xfe0c2860, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1e6600, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32WW.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0048.795] lstrlenW (lpString="Office32WW.msi") returned 14 [0048.795] lstrlenW (lpString=".1cd") returned 4 [0048.795] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0048.795] lstrlenW (lpString=".3ds") returned 4 [0048.795] lstrcmpiW (lpString1=".3ds", lpString2=".msi") returned -1 [0048.795] lstrlenW (lpString=".3fr") returned 4 [0048.795] lstrcmpiW (lpString1=".3fr", lpString2=".msi") returned -1 [0048.795] lstrlenW (lpString=".3g2") returned 4 [0048.795] lstrcmpiW (lpString1=".3g2", lpString2=".msi") returned -1 [0048.795] lstrlenW (lpString=".3gp") returned 4 [0048.795] lstrcmpiW (lpString1=".3gp", lpString2=".msi") returned -1 [0048.795] lstrlenW (lpString=".7z") returned 3 [0048.795] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0048.795] lstrlenW (lpString=".accda") returned 6 [0048.795] lstrcmpiW (lpString1=".accda", lpString2="WW.msi") returned -1 [0048.795] lstrlenW (lpString=".accdb") returned 6 [0048.795] lstrcmpiW (lpString1=".accdb", lpString2="WW.msi") returned -1 [0048.796] lstrlenW (lpString=".accdc") returned 6 [0048.796] lstrcmpiW (lpString1=".accdc", lpString2="WW.msi") returned -1 [0048.796] lstrlenW (lpString=".accde") returned 6 [0048.796] lstrcmpiW (lpString1=".accde", lpString2="WW.msi") returned -1 [0048.796] lstrlenW (lpString=".accdt") returned 6 [0048.796] lstrcmpiW (lpString1=".accdt", lpString2="WW.msi") returned -1 [0048.796] lstrlenW (lpString=".accdw") returned 6 [0048.796] lstrcmpiW (lpString1=".accdw", lpString2="WW.msi") returned -1 [0048.796] lstrlenW (lpString=".adb") returned 4 [0048.796] lstrcmpiW (lpString1=".adb", lpString2=".msi") returned -1 [0048.796] lstrlenW (lpString=".adp") returned 4 [0048.796] lstrcmpiW (lpString1=".adp", lpString2=".msi") returned -1 [0048.796] lstrlenW (lpString=".ai") returned 3 [0048.796] lstrcmpiW (lpString1=".ai", lpString2="msi") returned -1 [0048.796] lstrlenW (lpString=".ai3") returned 4 [0048.796] lstrcmpiW (lpString1=".ai3", lpString2=".msi") returned -1 [0048.796] lstrlenW (lpString=".ai4") returned 4 [0048.796] lstrcmpiW (lpString1=".ai4", lpString2=".msi") returned -1 [0048.796] lstrlenW (lpString=".ai5") returned 4 [0048.796] lstrcmpiW (lpString1=".ai5", lpString2=".msi") returned -1 [0048.796] lstrlenW (lpString=".ai6") returned 4 [0048.796] lstrcmpiW (lpString1=".ai6", lpString2=".msi") returned -1 [0048.796] lstrlenW (lpString=".ai7") returned 4 [0048.796] lstrcmpiW (lpString1=".ai7", lpString2=".msi") returned -1 [0048.796] lstrlenW (lpString=".ai8") returned 4 [0048.796] lstrcmpiW (lpString1=".ai8", lpString2=".msi") returned -1 [0048.796] lstrlenW (lpString=".anim") returned 5 [0048.796] lstrcmpiW (lpString1=".anim", lpString2="W.msi") returned -1 [0048.796] lstrlenW (lpString=".arw") returned 4 [0048.797] lstrcmpiW (lpString1=".arw", lpString2=".msi") returned -1 [0048.797] lstrlenW (lpString=".as") returned 3 [0048.797] lstrcmpiW (lpString1=".as", lpString2="msi") returned -1 [0048.797] lstrlenW (lpString=".asa") returned 4 [0048.797] lstrcmpiW (lpString1=".asa", lpString2=".msi") returned -1 [0048.797] lstrlenW (lpString=".asc") returned 4 [0048.797] lstrcmpiW (lpString1=".asc", lpString2=".msi") returned -1 [0048.797] lstrlenW (lpString=".ascx") returned 5 [0048.797] lstrcmpiW (lpString1=".ascx", lpString2="W.msi") returned -1 [0048.797] lstrlenW (lpString=".asm") returned 4 [0048.797] lstrcmpiW (lpString1=".asm", lpString2=".msi") returned -1 [0048.797] lstrlenW (lpString=".asmx") returned 5 [0048.797] lstrcmpiW (lpString1=".asmx", lpString2="W.msi") returned -1 [0048.797] lstrlenW (lpString=".asp") returned 4 [0048.797] lstrcmpiW (lpString1=".asp", lpString2=".msi") returned -1 [0048.797] lstrlenW (lpString=".aspx") returned 5 [0048.797] lstrcmpiW (lpString1=".aspx", lpString2="W.msi") returned -1 [0048.797] lstrlenW (lpString=".asr") returned 4 [0048.797] lstrcmpiW (lpString1=".asr", lpString2=".msi") returned -1 [0048.797] lstrlenW (lpString=".asx") returned 4 [0048.797] lstrcmpiW (lpString1=".asx", lpString2=".msi") returned -1 [0048.797] lstrlenW (lpString=".avi") returned 4 [0048.797] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0048.797] lstrlenW (lpString=".avs") returned 4 [0048.797] lstrcmpiW (lpString1=".avs", lpString2=".msi") returned -1 [0048.797] lstrlenW (lpString=".backup") returned 7 [0048.797] lstrcmpiW (lpString1=".backup", lpString2="2WW.msi") returned -1 [0048.797] lstrlenW (lpString=".bak") returned 4 [0048.797] lstrcmpiW (lpString1=".bak", lpString2=".msi") returned -1 [0048.797] lstrlenW (lpString=".bay") returned 4 [0048.797] lstrcmpiW (lpString1=".bay", lpString2=".msi") returned -1 [0048.797] lstrlenW (lpString=".bd") returned 3 [0048.797] lstrcmpiW (lpString1=".bd", lpString2="msi") returned -1 [0048.797] lstrlenW (lpString=".bin") returned 4 [0048.797] lstrcmpiW (lpString1=".bin", lpString2=".msi") returned -1 [0048.798] lstrlenW (lpString=".bmp") returned 4 [0048.798] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0048.798] lstrlenW (lpString=".bz2") returned 4 [0048.798] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0048.798] lstrlenW (lpString=".c") returned 2 [0048.798] lstrcmpiW (lpString1=".c", lpString2="si") returned -1 [0048.798] lstrlenW (lpString=".cdr") returned 4 [0048.798] lstrcmpiW (lpString1=".cdr", lpString2=".msi") returned -1 [0048.798] lstrlenW (lpString=".cer") returned 4 [0048.798] lstrcmpiW (lpString1=".cer", lpString2=".msi") returned -1 [0048.798] lstrlenW (lpString=".cf") returned 3 [0048.798] lstrcmpiW (lpString1=".cf", lpString2="msi") returned -1 [0048.798] lstrlenW (lpString=".cfc") returned 4 [0048.798] lstrcmpiW (lpString1=".cfc", lpString2=".msi") returned -1 [0048.798] lstrlenW (lpString=".cfm") returned 4 [0048.798] lstrcmpiW (lpString1=".cfm", lpString2=".msi") returned -1 [0048.798] lstrlenW (lpString=".cfml") returned 5 [0048.798] lstrcmpiW (lpString1=".cfml", lpString2="W.msi") returned -1 [0048.798] lstrlenW (lpString=".cfu") returned 4 [0048.798] lstrcmpiW (lpString1=".cfu", lpString2=".msi") returned -1 [0048.798] lstrlenW (lpString=".chm") returned 4 [0048.798] lstrcmpiW (lpString1=".chm", lpString2=".msi") returned -1 [0048.798] lstrlenW (lpString=".cin") returned 4 [0048.798] lstrcmpiW (lpString1=".cin", lpString2=".msi") returned -1 [0048.798] lstrlenW (lpString=".class") returned 6 [0048.798] lstrcmpiW (lpString1=".class", lpString2="WW.msi") returned -1 [0048.798] lstrlenW (lpString=".clx") returned 4 [0048.798] lstrcmpiW (lpString1=".clx", lpString2=".msi") returned -1 [0048.798] lstrlenW (lpString=".config") returned 7 [0048.798] lstrcmpiW (lpString1=".config", lpString2="2WW.msi") returned -1 [0048.798] lstrlenW (lpString=".cpp") returned 4 [0048.798] lstrcmpiW (lpString1=".cpp", lpString2=".msi") returned -1 [0048.798] lstrlenW (lpString=".cr2") returned 4 [0048.798] lstrcmpiW (lpString1=".cr2", lpString2=".msi") returned -1 [0048.798] lstrlenW (lpString=".crt") returned 4 [0048.798] lstrcmpiW (lpString1=".crt", lpString2=".msi") returned -1 [0048.798] lstrlenW (lpString=".crw") returned 4 [0048.799] lstrcmpiW (lpString1=".crw", lpString2=".msi") returned -1 [0048.799] lstrlenW (lpString=".cs") returned 3 [0048.799] lstrcmpiW (lpString1=".cs", lpString2="msi") returned -1 [0048.799] lstrlenW (lpString=".css") returned 4 [0048.799] lstrcmpiW (lpString1=".css", lpString2=".msi") returned -1 [0048.799] lstrlenW (lpString=".csv") returned 4 [0048.799] lstrcmpiW (lpString1=".csv", lpString2=".msi") returned -1 [0048.799] lstrlenW (lpString=".cub") returned 4 [0048.799] lstrcmpiW (lpString1=".cub", lpString2=".msi") returned -1 [0048.799] lstrlenW (lpString=".dae") returned 4 [0048.799] lstrcmpiW (lpString1=".dae", lpString2=".msi") returned -1 [0048.799] lstrlenW (lpString=".dat") returned 4 [0048.799] lstrcmpiW (lpString1=".dat", lpString2=".msi") returned -1 [0048.799] lstrlenW (lpString=".db") returned 3 [0048.799] lstrcmpiW (lpString1=".db", lpString2="msi") returned -1 [0048.799] lstrlenW (lpString=".dbf") returned 4 [0048.799] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0048.799] lstrlenW (lpString=".dbx") returned 4 [0048.799] lstrcmpiW (lpString1=".dbx", lpString2=".msi") returned -1 [0048.799] lstrlenW (lpString=".dc3") returned 4 [0048.799] lstrcmpiW (lpString1=".dc3", lpString2=".msi") returned -1 [0048.799] lstrlenW (lpString=".dcm") returned 4 [0048.799] lstrcmpiW (lpString1=".dcm", lpString2=".msi") returned -1 [0048.799] lstrlenW (lpString=".dcr") returned 4 [0048.799] lstrcmpiW (lpString1=".dcr", lpString2=".msi") returned -1 [0048.799] lstrlenW (lpString=".der") returned 4 [0048.799] lstrcmpiW (lpString1=".der", lpString2=".msi") returned -1 [0048.799] lstrlenW (lpString=".dib") returned 4 [0048.799] lstrcmpiW (lpString1=".dib", lpString2=".msi") returned -1 [0048.799] lstrlenW (lpString=".dic") returned 4 [0048.799] lstrcmpiW (lpString1=".dic", lpString2=".msi") returned -1 [0048.799] lstrlenW (lpString=".dif") returned 4 [0048.799] lstrcmpiW (lpString1=".dif", lpString2=".msi") returned -1 [0048.799] lstrlenW (lpString=".divx") returned 5 [0048.799] lstrcmpiW (lpString1=".divx", lpString2="W.msi") returned -1 [0048.800] lstrlenW (lpString=".djvu") returned 5 [0048.800] lstrcmpiW (lpString1=".djvu", lpString2="W.msi") returned -1 [0048.800] lstrlenW (lpString=".dng") returned 4 [0048.800] lstrcmpiW (lpString1=".dng", lpString2=".msi") returned -1 [0048.800] lstrlenW (lpString=".doc") returned 4 [0048.800] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0048.800] lstrlenW (lpString=".docm") returned 5 [0048.800] lstrcmpiW (lpString1=".docm", lpString2="W.msi") returned -1 [0048.800] lstrlenW (lpString=".docx") returned 5 [0048.800] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0048.800] lstrlenW (lpString=".dot") returned 4 [0048.800] lstrcmpiW (lpString1=".dot", lpString2=".msi") returned -1 [0048.800] lstrlenW (lpString=".dotm") returned 5 [0048.800] lstrcmpiW (lpString1=".dotm", lpString2="W.msi") returned -1 [0048.800] lstrlenW (lpString=".dotx") returned 5 [0048.800] lstrcmpiW (lpString1=".dotx", lpString2="W.msi") returned -1 [0048.800] lstrlenW (lpString=".dpx") returned 4 [0048.800] lstrcmpiW (lpString1=".dpx", lpString2=".msi") returned -1 [0048.800] lstrlenW (lpString=".dqy") returned 4 [0048.800] lstrcmpiW (lpString1=".dqy", lpString2=".msi") returned -1 [0048.800] lstrlenW (lpString=".dsn") returned 4 [0048.800] lstrcmpiW (lpString1=".dsn", lpString2=".msi") returned -1 [0048.800] lstrlenW (lpString=".dt") returned 3 [0048.800] lstrcmpiW (lpString1=".dt", lpString2="msi") returned -1 [0048.800] lstrlenW (lpString=".dtd") returned 4 [0048.800] lstrcmpiW (lpString1=".dtd", lpString2=".msi") returned -1 [0048.800] lstrlenW (lpString=".dwg") returned 4 [0048.800] lstrcmpiW (lpString1=".dwg", lpString2=".msi") returned -1 [0048.800] lstrlenW (lpString=".dwt") returned 4 [0048.800] lstrcmpiW (lpString1=".dwt", lpString2=".msi") returned -1 [0048.800] lstrlenW (lpString=".dx") returned 3 [0048.800] lstrcmpiW (lpString1=".dx", lpString2="msi") returned -1 [0048.800] lstrlenW (lpString=".dxf") returned 4 [0048.800] lstrcmpiW (lpString1=".dxf", lpString2=".msi") returned -1 [0048.800] lstrlenW (lpString=".edml") returned 5 [0048.800] lstrcmpiW (lpString1=".edml", lpString2="W.msi") returned -1 [0048.800] lstrlenW (lpString=".efd") returned 4 [0048.801] lstrcmpiW (lpString1=".efd", lpString2=".msi") returned -1 [0048.801] lstrlenW (lpString=".elf") returned 4 [0048.801] lstrcmpiW (lpString1=".elf", lpString2=".msi") returned -1 [0048.801] lstrlenW (lpString=".emf") returned 4 [0048.801] lstrcmpiW (lpString1=".emf", lpString2=".msi") returned -1 [0048.801] lstrlenW (lpString=".emz") returned 4 [0048.801] lstrcmpiW (lpString1=".emz", lpString2=".msi") returned -1 [0048.801] lstrlenW (lpString=".epf") returned 4 [0048.801] lstrcmpiW (lpString1=".epf", lpString2=".msi") returned -1 [0048.801] lstrlenW (lpString=".eps") returned 4 [0048.801] lstrcmpiW (lpString1=".eps", lpString2=".msi") returned -1 [0048.801] lstrlenW (lpString=".epsf") returned 5 [0048.801] lstrcmpiW (lpString1=".epsf", lpString2="W.msi") returned -1 [0048.801] lstrlenW (lpString=".epsp") returned 5 [0048.801] lstrcmpiW (lpString1=".epsp", lpString2="W.msi") returned -1 [0048.801] lstrlenW (lpString=".erf") returned 4 [0048.801] lstrcmpiW (lpString1=".erf", lpString2=".msi") returned -1 [0048.801] lstrlenW (lpString=".exr") returned 4 [0048.801] lstrcmpiW (lpString1=".exr", lpString2=".msi") returned -1 [0048.801] lstrlenW (lpString=".f4v") returned 4 [0048.801] lstrcmpiW (lpString1=".f4v", lpString2=".msi") returned -1 [0048.801] lstrlenW (lpString=".fido") returned 5 [0048.801] lstrcmpiW (lpString1=".fido", lpString2="W.msi") returned -1 [0048.801] lstrlenW (lpString=".flm") returned 4 [0048.801] lstrcmpiW (lpString1=".flm", lpString2=".msi") returned -1 [0048.801] lstrlenW (lpString=".flv") returned 4 [0048.801] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0048.801] lstrlenW (lpString=".frm") returned 4 [0048.801] lstrcmpiW (lpString1=".frm", lpString2=".msi") returned -1 [0048.801] lstrlenW (lpString=".fxg") returned 4 [0048.801] lstrcmpiW (lpString1=".fxg", lpString2=".msi") returned -1 [0048.801] lstrlenW (lpString=".geo") returned 4 [0048.801] lstrcmpiW (lpString1=".geo", lpString2=".msi") returned -1 [0048.801] lstrlenW (lpString=".gif") returned 4 [0048.801] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0048.802] lstrlenW (lpString=".grs") returned 4 [0048.802] lstrcmpiW (lpString1=".grs", lpString2=".msi") returned -1 [0048.802] lstrlenW (lpString=".gz") returned 3 [0048.802] lstrcmpiW (lpString1=".gz", lpString2="msi") returned -1 [0048.802] lstrlenW (lpString=".h") returned 2 [0048.802] lstrcmpiW (lpString1=".h", lpString2="si") returned -1 [0048.802] lstrlenW (lpString=".hdr") returned 4 [0048.802] lstrcmpiW (lpString1=".hdr", lpString2=".msi") returned -1 [0048.802] lstrlenW (lpString=".hpp") returned 4 [0048.802] lstrcmpiW (lpString1=".hpp", lpString2=".msi") returned -1 [0048.802] lstrlenW (lpString=".hta") returned 4 [0048.802] lstrcmpiW (lpString1=".hta", lpString2=".msi") returned -1 [0048.802] lstrlenW (lpString=".htc") returned 4 [0048.802] lstrcmpiW (lpString1=".htc", lpString2=".msi") returned -1 [0048.802] lstrlenW (lpString=".htm") returned 4 [0048.802] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0048.802] lstrlenW (lpString=".html") returned 5 [0048.802] lstrcmpiW (lpString1=".html", lpString2="W.msi") returned -1 [0048.802] lstrlenW (lpString=".icb") returned 4 [0048.802] lstrcmpiW (lpString1=".icb", lpString2=".msi") returned -1 [0048.802] lstrlenW (lpString=".ics") returned 4 [0048.802] lstrcmpiW (lpString1=".ics", lpString2=".msi") returned -1 [0048.802] lstrlenW (lpString=".iff") returned 4 [0048.802] lstrcmpiW (lpString1=".iff", lpString2=".msi") returned -1 [0048.802] lstrlenW (lpString=".inc") returned 4 [0048.802] lstrcmpiW (lpString1=".inc", lpString2=".msi") returned -1 [0048.802] lstrlenW (lpString=".indd") returned 5 [0048.802] lstrcmpiW (lpString1=".indd", lpString2="W.msi") returned -1 [0048.802] lstrlenW (lpString=".ini") returned 4 [0048.802] lstrcmpiW (lpString1=".ini", lpString2=".msi") returned -1 [0048.802] lstrlenW (lpString=".iqy") returned 4 [0048.802] lstrcmpiW (lpString1=".iqy", lpString2=".msi") returned -1 [0048.802] lstrlenW (lpString=".j2c") returned 4 [0048.802] lstrcmpiW (lpString1=".j2c", lpString2=".msi") returned -1 [0048.803] lstrlenW (lpString=".j2k") returned 4 [0048.803] lstrcmpiW (lpString1=".j2k", lpString2=".msi") returned -1 [0048.803] lstrlenW (lpString=".java") returned 5 [0048.803] lstrcmpiW (lpString1=".java", lpString2="W.msi") returned -1 [0048.803] lstrlenW (lpString=".jp2") returned 4 [0048.803] lstrcmpiW (lpString1=".jp2", lpString2=".msi") returned -1 [0048.803] lstrlenW (lpString=".jpc") returned 4 [0048.803] lstrcmpiW (lpString1=".jpc", lpString2=".msi") returned -1 [0048.803] lstrlenW (lpString=".jpe") returned 4 [0048.803] lstrcmpiW (lpString1=".jpe", lpString2=".msi") returned -1 [0048.803] lstrlenW (lpString=".jpeg") returned 5 [0048.803] lstrcmpiW (lpString1=".jpeg", lpString2="W.msi") returned -1 [0048.803] lstrlenW (lpString=".jpf") returned 4 [0048.803] lstrcmpiW (lpString1=".jpf", lpString2=".msi") returned -1 [0048.803] lstrlenW (lpString=".jpg") returned 4 [0048.803] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0048.803] lstrlenW (lpString=".jpx") returned 4 [0048.803] lstrcmpiW (lpString1=".jpx", lpString2=".msi") returned -1 [0048.803] lstrlenW (lpString=".js") returned 3 [0048.803] lstrcmpiW (lpString1=".js", lpString2="msi") returned -1 [0048.803] lstrlenW (lpString=".jsf") returned 4 [0048.803] lstrcmpiW (lpString1=".jsf", lpString2=".msi") returned -1 [0048.803] lstrlenW (lpString=".json") returned 5 [0048.803] lstrcmpiW (lpString1=".json", lpString2="W.msi") returned -1 [0048.803] lstrlenW (lpString=".jsp") returned 4 [0048.803] lstrcmpiW (lpString1=".jsp", lpString2=".msi") returned -1 [0048.803] lstrlenW (lpString=".kdc") returned 4 [0048.803] lstrcmpiW (lpString1=".kdc", lpString2=".msi") returned -1 [0048.803] lstrlenW (lpString=".kmz") returned 4 [0048.803] lstrcmpiW (lpString1=".kmz", lpString2=".msi") returned -1 [0048.803] lstrlenW (lpString=".kwm") returned 4 [0048.803] lstrcmpiW (lpString1=".kwm", lpString2=".msi") returned -1 [0048.803] lstrlenW (lpString=".lasso") returned 6 [0048.803] lstrcmpiW (lpString1=".lasso", lpString2="WW.msi") returned -1 [0048.803] lstrlenW (lpString=".lbi") returned 4 [0048.803] lstrcmpiW (lpString1=".lbi", lpString2=".msi") returned -1 [0048.804] lstrlenW (lpString=".lgf") returned 4 [0048.804] lstrcmpiW (lpString1=".lgf", lpString2=".msi") returned -1 [0048.804] lstrlenW (lpString=".lgp") returned 4 [0048.804] lstrcmpiW (lpString1=".lgp", lpString2=".msi") returned -1 [0048.804] lstrlenW (lpString=".log") returned 4 [0048.804] lstrcmpiW (lpString1=".log", lpString2=".msi") returned -1 [0048.804] lstrlenW (lpString=".m1v") returned 4 [0048.804] lstrcmpiW (lpString1=".m1v", lpString2=".msi") returned -1 [0048.804] lstrlenW (lpString=".m4a") returned 4 [0048.804] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0048.804] lstrlenW (lpString=".m4v") returned 4 [0048.804] lstrcmpiW (lpString1=".m4v", lpString2=".msi") returned -1 [0048.804] lstrlenW (lpString=".max") returned 4 [0048.804] lstrcmpiW (lpString1=".max", lpString2=".msi") returned -1 [0048.804] lstrlenW (lpString=".md") returned 3 [0048.804] lstrcmpiW (lpString1=".md", lpString2="msi") returned -1 [0048.804] lstrlenW (lpString=".mda") returned 4 [0048.804] lstrcmpiW (lpString1=".mda", lpString2=".msi") returned -1 [0048.804] lstrlenW (lpString=".mdb") returned 4 [0048.804] lstrcmpiW (lpString1=".mdb", lpString2=".msi") returned -1 [0048.804] lstrlenW (lpString=".mde") returned 4 [0048.804] lstrcmpiW (lpString1=".mde", lpString2=".msi") returned -1 [0048.804] lstrlenW (lpString=".mdf") returned 4 [0048.804] lstrcmpiW (lpString1=".mdf", lpString2=".msi") returned -1 [0048.804] lstrlenW (lpString=".mdw") returned 4 [0048.804] lstrcmpiW (lpString1=".mdw", lpString2=".msi") returned -1 [0048.804] lstrlenW (lpString=".mef") returned 4 [0048.804] lstrcmpiW (lpString1=".mef", lpString2=".msi") returned -1 [0048.804] lstrlenW (lpString=".mft") returned 4 [0048.804] lstrcmpiW (lpString1=".mft", lpString2=".msi") returned -1 [0048.804] lstrlenW (lpString=".mfw") returned 4 [0048.804] lstrcmpiW (lpString1=".mfw", lpString2=".msi") returned -1 [0048.804] lstrlenW (lpString=".mht") returned 4 [0048.804] lstrcmpiW (lpString1=".mht", lpString2=".msi") returned -1 [0048.804] lstrlenW (lpString=".mhtml") returned 6 [0048.805] lstrcmpiW (lpString1=".mhtml", lpString2="WW.msi") returned -1 [0048.805] lstrlenW (lpString=".mka") returned 4 [0048.805] lstrcmpiW (lpString1=".mka", lpString2=".msi") returned -1 [0048.805] lstrlenW (lpString=".mkidx") returned 6 [0048.805] lstrcmpiW (lpString1=".mkidx", lpString2="WW.msi") returned -1 [0048.805] lstrlenW (lpString=".mkv") returned 4 [0048.805] lstrcmpiW (lpString1=".mkv", lpString2=".msi") returned -1 [0048.805] lstrlenW (lpString=".mos") returned 4 [0048.805] lstrcmpiW (lpString1=".mos", lpString2=".msi") returned -1 [0048.805] lstrlenW (lpString=".mov") returned 4 [0048.805] lstrcmpiW (lpString1=".mov", lpString2=".msi") returned -1 [0048.805] lstrlenW (lpString=".mp3") returned 4 [0048.805] lstrcmpiW (lpString1=".mp3", lpString2=".msi") returned -1 [0048.805] lstrlenW (lpString=".mp4") returned 4 [0048.805] lstrcmpiW (lpString1=".mp4", lpString2=".msi") returned -1 [0048.805] lstrlenW (lpString=".mpeg") returned 5 [0048.805] lstrcmpiW (lpString1=".mpeg", lpString2="W.msi") returned -1 [0048.805] lstrlenW (lpString=".mpg") returned 4 [0048.805] lstrcmpiW (lpString1=".mpg", lpString2=".msi") returned -1 [0048.805] lstrlenW (lpString=".mpv") returned 4 [0048.805] lstrcmpiW (lpString1=".mpv", lpString2=".msi") returned -1 [0048.805] lstrlenW (lpString=".mrw") returned 4 [0048.805] lstrcmpiW (lpString1=".mrw", lpString2=".msi") returned -1 [0048.805] lstrlenW (lpString=".msg") returned 4 [0048.805] lstrcmpiW (lpString1=".msg", lpString2=".msi") returned -1 [0048.805] lstrlenW (lpString=".mxl") returned 4 [0048.805] lstrcmpiW (lpString1=".mxl", lpString2=".msi") returned 1 [0048.805] lstrlenW (lpString=".myd") returned 4 [0048.805] lstrcmpiW (lpString1=".myd", lpString2=".msi") returned 1 [0048.805] lstrlenW (lpString=".myi") returned 4 [0048.805] lstrcmpiW (lpString1=".myi", lpString2=".msi") returned 1 [0048.805] lstrlenW (lpString=".nef") returned 4 [0048.805] lstrcmpiW (lpString1=".nef", lpString2=".msi") returned 1 [0048.805] lstrlenW (lpString=".nrw") returned 4 [0048.806] lstrcmpiW (lpString1=".nrw", lpString2=".msi") returned 1 [0048.806] lstrlenW (lpString=".obj") returned 4 [0048.806] lstrcmpiW (lpString1=".obj", lpString2=".msi") returned 1 [0048.806] lstrlenW (lpString=".odb") returned 4 [0048.806] lstrcmpiW (lpString1=".odb", lpString2=".msi") returned 1 [0048.806] lstrlenW (lpString=".odc") returned 4 [0048.806] lstrcmpiW (lpString1=".odc", lpString2=".msi") returned 1 [0048.806] lstrlenW (lpString=".odm") returned 4 [0048.806] lstrcmpiW (lpString1=".odm", lpString2=".msi") returned 1 [0048.806] lstrlenW (lpString=".odp") returned 4 [0048.806] lstrcmpiW (lpString1=".odp", lpString2=".msi") returned 1 [0048.806] lstrlenW (lpString=".ods") returned 4 [0048.806] lstrcmpiW (lpString1=".ods", lpString2=".msi") returned 1 [0048.806] lstrlenW (lpString=".oft") returned 4 [0048.806] lstrcmpiW (lpString1=".oft", lpString2=".msi") returned 1 [0048.806] lstrlenW (lpString=".one") returned 4 [0048.806] lstrcmpiW (lpString1=".one", lpString2=".msi") returned 1 [0048.931] lstrlenW (lpString=".onepkg") returned 7 [0048.931] lstrcmpiW (lpString1=".onepkg", lpString2="2WW.msi") returned -1 [0048.931] lstrlenW (lpString=".onetoc2") returned 8 [0048.931] lstrcmpiW (lpString1=".onetoc2", lpString2="32WW.msi") returned -1 [0048.931] lstrlenW (lpString=".opt") returned 4 [0048.931] lstrcmpiW (lpString1=".opt", lpString2=".msi") returned 1 [0048.931] lstrlenW (lpString=".oqy") returned 4 [0048.931] lstrcmpiW (lpString1=".oqy", lpString2=".msi") returned 1 [0048.931] lstrlenW (lpString=".orf") returned 4 [0048.931] lstrcmpiW (lpString1=".orf", lpString2=".msi") returned 1 [0048.931] lstrlenW (lpString=".p12") returned 4 [0048.931] lstrcmpiW (lpString1=".p12", lpString2=".msi") returned 1 [0048.931] lstrlenW (lpString=".p7b") returned 4 [0048.932] lstrcmpiW (lpString1=".p7b", lpString2=".msi") returned 1 [0048.932] lstrlenW (lpString=".p7c") returned 4 [0048.932] lstrcmpiW (lpString1=".p7c", lpString2=".msi") returned 1 [0048.932] lstrlenW (lpString=".pam") returned 4 [0048.932] lstrcmpiW (lpString1=".pam", lpString2=".msi") returned 1 [0048.932] lstrlenW (lpString=".pbm") returned 4 [0048.932] lstrcmpiW (lpString1=".pbm", lpString2=".msi") returned 1 [0048.932] lstrlenW (lpString=".pct") returned 4 [0048.932] lstrcmpiW (lpString1=".pct", lpString2=".msi") returned 1 [0048.932] lstrlenW (lpString=".pcx") returned 4 [0048.932] lstrcmpiW (lpString1=".pcx", lpString2=".msi") returned 1 [0048.932] lstrlenW (lpString=".pdd") returned 4 [0048.932] lstrcmpiW (lpString1=".pdd", lpString2=".msi") returned 1 [0048.932] lstrlenW (lpString=".pdf") returned 4 [0048.932] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0048.932] lstrlenW (lpString=".pdp") returned 4 [0048.932] lstrcmpiW (lpString1=".pdp", lpString2=".msi") returned 1 [0048.932] lstrlenW (lpString=".pef") returned 4 [0048.932] lstrcmpiW (lpString1=".pef", lpString2=".msi") returned 1 [0048.932] lstrlenW (lpString=".pem") returned 4 [0048.932] lstrcmpiW (lpString1=".pem", lpString2=".msi") returned 1 [0048.932] lstrlenW (lpString=".pff") returned 4 [0048.932] lstrcmpiW (lpString1=".pff", lpString2=".msi") returned 1 [0048.932] lstrlenW (lpString=".pfm") returned 4 [0048.932] lstrcmpiW (lpString1=".pfm", lpString2=".msi") returned 1 [0048.932] lstrlenW (lpString=".pfx") returned 4 [0048.932] lstrcmpiW (lpString1=".pfx", lpString2=".msi") returned 1 [0048.932] lstrlenW (lpString=".pgm") returned 4 [0048.932] lstrcmpiW (lpString1=".pgm", lpString2=".msi") returned 1 [0048.932] lstrlenW (lpString=".php") returned 4 [0048.932] lstrcmpiW (lpString1=".php", lpString2=".msi") returned 1 [0048.932] lstrlenW (lpString=".php3") returned 5 [0048.932] lstrcmpiW (lpString1=".php3", lpString2="W.msi") returned -1 [0048.932] lstrlenW (lpString=".php4") returned 5 [0048.933] lstrcmpiW (lpString1=".php4", lpString2="W.msi") returned -1 [0048.933] lstrlenW (lpString=".php5") returned 5 [0048.933] lstrcmpiW (lpString1=".php5", lpString2="W.msi") returned -1 [0048.933] lstrlenW (lpString=".phtml") returned 6 [0048.933] lstrcmpiW (lpString1=".phtml", lpString2="WW.msi") returned -1 [0048.933] lstrlenW (lpString=".pict") returned 5 [0048.933] lstrcmpiW (lpString1=".pict", lpString2="W.msi") returned -1 [0048.933] lstrlenW (lpString=".pl") returned 3 [0048.933] lstrcmpiW (lpString1=".pl", lpString2="msi") returned -1 [0048.933] lstrlenW (lpString=".pls") returned 4 [0048.933] lstrcmpiW (lpString1=".pls", lpString2=".msi") returned 1 [0048.933] lstrlenW (lpString=".pm") returned 3 [0048.933] lstrcmpiW (lpString1=".pm", lpString2="msi") returned -1 [0048.933] lstrlenW (lpString=".png") returned 4 [0048.933] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0048.933] lstrlenW (lpString=".pnm") returned 4 [0048.933] lstrcmpiW (lpString1=".pnm", lpString2=".msi") returned 1 [0048.933] lstrlenW (lpString=".pot") returned 4 [0048.933] lstrcmpiW (lpString1=".pot", lpString2=".msi") returned 1 [0048.933] lstrlenW (lpString=".potm") returned 5 [0048.933] lstrcmpiW (lpString1=".potm", lpString2="W.msi") returned -1 [0048.933] lstrlenW (lpString=".potx") returned 5 [0048.933] lstrcmpiW (lpString1=".potx", lpString2="W.msi") returned -1 [0048.933] lstrlenW (lpString=".ppa") returned 4 [0048.933] lstrcmpiW (lpString1=".ppa", lpString2=".msi") returned 1 [0048.933] lstrlenW (lpString=".ppam") returned 5 [0048.933] lstrcmpiW (lpString1=".ppam", lpString2="W.msi") returned -1 [0048.933] lstrlenW (lpString=".ppm") returned 4 [0048.933] lstrcmpiW (lpString1=".ppm", lpString2=".msi") returned 1 [0048.933] lstrlenW (lpString=".pps") returned 4 [0048.933] lstrcmpiW (lpString1=".pps", lpString2=".msi") returned 1 [0048.933] lstrlenW (lpString=".ppsm") returned 5 [0048.933] lstrcmpiW (lpString1=".ppsm", lpString2="W.msi") returned -1 [0048.933] lstrlenW (lpString=".ppt") returned 4 [0048.934] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0048.934] lstrlenW (lpString=".pptm") returned 5 [0048.934] lstrcmpiW (lpString1=".pptm", lpString2="W.msi") returned -1 [0048.934] lstrlenW (lpString=".pptx") returned 5 [0048.934] lstrcmpiW (lpString1=".pptx", lpString2="W.msi") returned -1 [0048.934] lstrlenW (lpString=".prn") returned 4 [0048.934] lstrcmpiW (lpString1=".prn", lpString2=".msi") returned 1 [0048.934] lstrlenW (lpString=".ps") returned 3 [0048.934] lstrcmpiW (lpString1=".ps", lpString2="msi") returned -1 [0048.934] lstrlenW (lpString=".psb") returned 4 [0048.934] lstrcmpiW (lpString1=".psb", lpString2=".msi") returned 1 [0048.934] lstrlenW (lpString=".psd") returned 4 [0048.934] lstrcmpiW (lpString1=".psd", lpString2=".msi") returned 1 [0048.934] lstrlenW (lpString=".pst") returned 4 [0048.934] lstrcmpiW (lpString1=".pst", lpString2=".msi") returned 1 [0048.934] lstrlenW (lpString=".ptx") returned 4 [0048.934] lstrcmpiW (lpString1=".ptx", lpString2=".msi") returned 1 [0048.934] lstrlenW (lpString=".pub") returned 4 [0048.934] lstrcmpiW (lpString1=".pub", lpString2=".msi") returned 1 [0048.934] lstrlenW (lpString=".pwm") returned 4 [0048.934] lstrcmpiW (lpString1=".pwm", lpString2=".msi") returned 1 [0048.934] lstrlenW (lpString=".pxr") returned 4 [0048.934] lstrcmpiW (lpString1=".pxr", lpString2=".msi") returned 1 [0048.934] lstrlenW (lpString=".py") returned 3 [0048.934] lstrcmpiW (lpString1=".py", lpString2="msi") returned -1 [0048.934] lstrlenW (lpString=".qt") returned 3 [0048.934] lstrcmpiW (lpString1=".qt", lpString2="msi") returned -1 [0048.934] lstrlenW (lpString=".r3d") returned 4 [0048.934] lstrcmpiW (lpString1=".r3d", lpString2=".msi") returned 1 [0048.934] lstrlenW (lpString=".raf") returned 4 [0048.934] lstrcmpiW (lpString1=".raf", lpString2=".msi") returned 1 [0048.934] lstrlenW (lpString=".rar") returned 4 [0048.934] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0048.935] lstrlenW (lpString=".raw") returned 4 [0048.935] lstrcmpiW (lpString1=".raw", lpString2=".msi") returned 1 [0051.044] FindNextFileW (in: hFindFile=0x4011178, lpFindFileData=0x302f58c | out: lpFindFileData=0x302f58c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.044] FindNextFileW (in: hFindFile=0x4011178, lpFindFileData=0x302f58c | out: lpFindFileData=0x302f58c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe5ed9630, ftCreationTime.dwHighDateTime=0x1cb12b3, ftLastAccessTime.dwLowDateTime=0xe5ed9630, ftLastAccessTime.dwHighDateTime=0x1cb12b3, ftLastWriteTime.dwLowDateTime=0x4655d500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x1e6600, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32WW.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0051.044] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0051.044] lstrcmpiW (lpString1=".3ds", lpString2=".msi") returned -1 [0051.044] lstrcmpiW (lpString1=".3fr", lpString2=".msi") returned -1 [0051.044] lstrcmpiW (lpString1=".3g2", lpString2=".msi") returned -1 [0051.044] lstrcmpiW (lpString1=".3gp", lpString2=".msi") returned -1 [0051.044] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0051.044] lstrcmpiW (lpString1=".accda", lpString2="WW.msi") returned -1 [0051.044] lstrcmpiW (lpString1=".accdb", lpString2="WW.msi") returned -1 [0051.045] lstrcmpiW (lpString1=".accdc", lpString2="WW.msi") returned -1 [0051.045] lstrcmpiW (lpString1=".accde", lpString2="WW.msi") returned -1 [0051.045] lstrcmpiW (lpString1=".accdt", lpString2="WW.msi") returned -1 [0051.045] lstrcmpiW (lpString1=".accdw", lpString2="WW.msi") returned -1 [0051.045] lstrcmpiW (lpString1=".adb", lpString2=".msi") returned -1 [0051.045] lstrcmpiW (lpString1=".adp", lpString2=".msi") returned -1 [0051.045] lstrcmpiW (lpString1=".ai", lpString2="msi") returned -1 [0051.045] lstrcmpiW (lpString1=".ai3", lpString2=".msi") returned -1 [0051.045] lstrcmpiW (lpString1=".ai4", lpString2=".msi") returned -1 [0051.045] lstrcmpiW (lpString1=".ai5", lpString2=".msi") returned -1 [0051.045] lstrcmpiW (lpString1=".ai6", lpString2=".msi") returned -1 [0051.045] lstrcmpiW (lpString1=".ai7", lpString2=".msi") returned -1 [0051.045] lstrcmpiW (lpString1=".ai8", lpString2=".msi") returned -1 [0051.045] lstrcmpiW (lpString1=".anim", lpString2="W.msi") returned -1 [0051.045] lstrcmpiW (lpString1=".arw", lpString2=".msi") returned -1 [0051.045] lstrcmpiW (lpString1=".as", lpString2="msi") returned -1 [0051.045] lstrcmpiW (lpString1=".asa", lpString2=".msi") returned -1 [0051.045] lstrcmpiW (lpString1=".asc", lpString2=".msi") returned -1 [0051.045] lstrcmpiW (lpString1=".ascx", lpString2="W.msi") returned -1 [0051.046] lstrcmpiW (lpString1=".asm", lpString2=".msi") returned -1 [0051.046] lstrcmpiW (lpString1=".asmx", lpString2="W.msi") returned -1 [0051.046] lstrcmpiW (lpString1=".asp", lpString2=".msi") returned -1 [0051.046] lstrcmpiW (lpString1=".aspx", lpString2="W.msi") returned -1 [0051.046] lstrcmpiW (lpString1=".asr", lpString2=".msi") returned -1 [0051.046] lstrcmpiW (lpString1=".asx", lpString2=".msi") returned -1 [0051.046] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0051.046] lstrcmpiW (lpString1=".avs", lpString2=".msi") returned -1 [0051.046] lstrcmpiW (lpString1=".backup", lpString2="2WW.msi") returned -1 [0051.046] lstrcmpiW (lpString1=".bak", lpString2=".msi") returned -1 [0051.046] lstrcmpiW (lpString1=".bay", lpString2=".msi") returned -1 [0051.046] lstrcmpiW (lpString1=".bd", lpString2="msi") returned -1 [0051.046] lstrcmpiW (lpString1=".bin", lpString2=".msi") returned -1 [0051.046] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0051.046] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0051.046] lstrcmpiW (lpString1=".c", lpString2="si") returned -1 [0051.046] lstrcmpiW (lpString1=".cdr", lpString2=".msi") returned -1 [0051.046] lstrcmpiW (lpString1=".cer", lpString2=".msi") returned -1 [0051.047] lstrcmpiW (lpString1=".cf", lpString2="msi") returned -1 [0051.047] lstrcmpiW (lpString1=".cfc", lpString2=".msi") returned -1 [0051.047] lstrcmpiW (lpString1=".cfm", lpString2=".msi") returned -1 [0051.047] lstrcmpiW (lpString1=".cfml", lpString2="W.msi") returned -1 [0051.047] lstrcmpiW (lpString1=".cfu", lpString2=".msi") returned -1 [0051.047] lstrcmpiW (lpString1=".chm", lpString2=".msi") returned -1 [0051.047] lstrcmpiW (lpString1=".cin", lpString2=".msi") returned -1 [0051.047] lstrcmpiW (lpString1=".class", lpString2="WW.msi") returned -1 [0051.047] lstrcmpiW (lpString1=".clx", lpString2=".msi") returned -1 [0051.047] lstrcmpiW (lpString1=".config", lpString2="2WW.msi") returned -1 [0051.047] lstrcmpiW (lpString1=".cpp", lpString2=".msi") returned -1 [0051.047] lstrcmpiW (lpString1=".cr2", lpString2=".msi") returned -1 [0051.047] lstrcmpiW (lpString1=".crt", lpString2=".msi") returned -1 [0051.047] lstrcmpiW (lpString1=".crw", lpString2=".msi") returned -1 [0051.047] lstrcmpiW (lpString1=".cs", lpString2="msi") returned -1 [0051.047] lstrcmpiW (lpString1=".css", lpString2=".msi") returned -1 [0051.047] lstrcmpiW (lpString1=".csv", lpString2=".msi") returned -1 [0051.047] lstrcmpiW (lpString1=".cub", lpString2=".msi") returned -1 [0051.047] lstrcmpiW (lpString1=".dae", lpString2=".msi") returned -1 [0051.048] lstrcmpiW (lpString1=".dat", lpString2=".msi") returned -1 [0051.048] lstrcmpiW (lpString1=".db", lpString2="msi") returned -1 [0051.048] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0051.048] lstrcmpiW (lpString1=".dbx", lpString2=".msi") returned -1 [0051.048] lstrcmpiW (lpString1=".dc3", lpString2=".msi") returned -1 [0051.048] lstrcmpiW (lpString1=".dcm", lpString2=".msi") returned -1 [0051.048] lstrcmpiW (lpString1=".dcr", lpString2=".msi") returned -1 [0051.048] lstrcmpiW (lpString1=".der", lpString2=".msi") returned -1 [0051.048] lstrcmpiW (lpString1=".dib", lpString2=".msi") returned -1 [0051.048] lstrcmpiW (lpString1=".dic", lpString2=".msi") returned -1 [0051.048] lstrcmpiW (lpString1=".dif", lpString2=".msi") returned -1 [0051.048] lstrcmpiW (lpString1=".divx", lpString2="W.msi") returned -1 [0051.048] lstrcmpiW (lpString1=".djvu", lpString2="W.msi") returned -1 [0051.048] lstrcmpiW (lpString1=".dng", lpString2=".msi") returned -1 [0051.048] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0051.048] lstrcmpiW (lpString1=".docm", lpString2="W.msi") returned -1 [0051.048] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0051.048] lstrcmpiW (lpString1=".dot", lpString2=".msi") returned -1 [0051.049] lstrcmpiW (lpString1=".dotm", lpString2="W.msi") returned -1 [0051.049] lstrcmpiW (lpString1=".dotx", lpString2="W.msi") returned -1 [0051.049] lstrcmpiW (lpString1=".dpx", lpString2=".msi") returned -1 [0051.049] lstrcmpiW (lpString1=".dqy", lpString2=".msi") returned -1 [0051.049] lstrcmpiW (lpString1=".dsn", lpString2=".msi") returned -1 [0051.049] lstrcmpiW (lpString1=".dt", lpString2="msi") returned -1 [0051.049] lstrcmpiW (lpString1=".dtd", lpString2=".msi") returned -1 [0051.049] lstrcmpiW (lpString1=".dwg", lpString2=".msi") returned -1 [0051.049] lstrcmpiW (lpString1=".dwt", lpString2=".msi") returned -1 [0051.049] lstrcmpiW (lpString1=".dx", lpString2="msi") returned -1 [0051.049] lstrcmpiW (lpString1=".dxf", lpString2=".msi") returned -1 [0051.049] lstrcmpiW (lpString1=".edml", lpString2="W.msi") returned -1 [0051.049] lstrcmpiW (lpString1=".efd", lpString2=".msi") returned -1 [0051.049] lstrcmpiW (lpString1=".elf", lpString2=".msi") returned -1 [0051.049] lstrcmpiW (lpString1=".emf", lpString2=".msi") returned -1 [0051.049] lstrcmpiW (lpString1=".emz", lpString2=".msi") returned -1 [0051.049] lstrcmpiW (lpString1=".epf", lpString2=".msi") returned -1 [0051.049] lstrcmpiW (lpString1=".eps", lpString2=".msi") returned -1 [0051.050] lstrcmpiW (lpString1=".epsf", lpString2="W.msi") returned -1 [0051.050] lstrcmpiW (lpString1=".epsp", lpString2="W.msi") returned -1 [0051.050] lstrcmpiW (lpString1=".erf", lpString2=".msi") returned -1 [0051.050] lstrcmpiW (lpString1=".exr", lpString2=".msi") returned -1 [0051.050] lstrcmpiW (lpString1=".f4v", lpString2=".msi") returned -1 [0051.050] lstrcmpiW (lpString1=".fido", lpString2="W.msi") returned -1 [0051.050] lstrcmpiW (lpString1=".flm", lpString2=".msi") returned -1 [0051.050] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0051.050] lstrcmpiW (lpString1=".frm", lpString2=".msi") returned -1 [0051.050] lstrcmpiW (lpString1=".fxg", lpString2=".msi") returned -1 [0051.050] lstrcmpiW (lpString1=".geo", lpString2=".msi") returned -1 [0051.050] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0051.050] lstrcmpiW (lpString1=".grs", lpString2=".msi") returned -1 [0051.050] lstrcmpiW (lpString1=".gz", lpString2="msi") returned -1 [0051.050] lstrcmpiW (lpString1=".h", lpString2="si") returned -1 [0051.050] lstrcmpiW (lpString1=".hdr", lpString2=".msi") returned -1 [0051.050] lstrcmpiW (lpString1=".hpp", lpString2=".msi") returned -1 [0051.050] lstrcmpiW (lpString1=".hta", lpString2=".msi") returned -1 [0051.051] lstrcmpiW (lpString1=".htc", lpString2=".msi") returned -1 [0051.051] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0051.051] lstrcmpiW (lpString1=".html", lpString2="W.msi") returned -1 [0051.051] lstrcmpiW (lpString1=".icb", lpString2=".msi") returned -1 [0051.051] lstrcmpiW (lpString1=".ics", lpString2=".msi") returned -1 [0051.051] lstrcmpiW (lpString1=".iff", lpString2=".msi") returned -1 [0051.051] lstrcmpiW (lpString1=".inc", lpString2=".msi") returned -1 [0051.051] lstrcmpiW (lpString1=".indd", lpString2="W.msi") returned -1 [0051.051] lstrcmpiW (lpString1=".ini", lpString2=".msi") returned -1 [0051.051] lstrcmpiW (lpString1=".iqy", lpString2=".msi") returned -1 [0051.051] lstrcmpiW (lpString1=".j2c", lpString2=".msi") returned -1 [0051.051] lstrcmpiW (lpString1=".j2k", lpString2=".msi") returned -1 [0051.051] lstrcmpiW (lpString1=".java", lpString2="W.msi") returned -1 [0051.051] lstrcmpiW (lpString1=".jp2", lpString2=".msi") returned -1 [0051.051] lstrcmpiW (lpString1=".jpc", lpString2=".msi") returned -1 [0051.051] lstrcmpiW (lpString1=".jpe", lpString2=".msi") returned -1 [0051.051] lstrcmpiW (lpString1=".jpeg", lpString2="W.msi") returned -1 [0051.051] lstrcmpiW (lpString1=".jpf", lpString2=".msi") returned -1 [0051.051] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0051.052] lstrcmpiW (lpString1=".jpx", lpString2=".msi") returned -1 [0051.052] lstrcmpiW (lpString1=".js", lpString2="msi") returned -1 [0051.052] lstrcmpiW (lpString1=".jsf", lpString2=".msi") returned -1 [0051.052] lstrcmpiW (lpString1=".json", lpString2="W.msi") returned -1 [0051.052] lstrcmpiW (lpString1=".jsp", lpString2=".msi") returned -1 [0051.052] lstrcmpiW (lpString1=".kdc", lpString2=".msi") returned -1 [0051.052] lstrcmpiW (lpString1=".kmz", lpString2=".msi") returned -1 [0051.052] lstrcmpiW (lpString1=".kwm", lpString2=".msi") returned -1 [0051.052] lstrcmpiW (lpString1=".lasso", lpString2="WW.msi") returned -1 [0051.052] lstrcmpiW (lpString1=".lbi", lpString2=".msi") returned -1 [0051.052] lstrcmpiW (lpString1=".lgf", lpString2=".msi") returned -1 [0051.052] lstrcmpiW (lpString1=".lgp", lpString2=".msi") returned -1 [0051.052] lstrcmpiW (lpString1=".log", lpString2=".msi") returned -1 [0051.052] lstrcmpiW (lpString1=".m1v", lpString2=".msi") returned -1 [0051.052] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0051.052] lstrcmpiW (lpString1=".m4v", lpString2=".msi") returned -1 [0051.052] lstrcmpiW (lpString1=".max", lpString2=".msi") returned -1 [0051.053] lstrcmpiW (lpString1=".md", lpString2="msi") returned -1 [0051.053] lstrcmpiW (lpString1=".mda", lpString2=".msi") returned -1 [0051.054] lstrcmpiW (lpString1=".mdb", lpString2=".msi") returned -1 [0051.054] lstrcmpiW (lpString1=".mde", lpString2=".msi") returned -1 [0051.054] lstrcmpiW (lpString1=".mdf", lpString2=".msi") returned -1 [0051.054] lstrcmpiW (lpString1=".mdw", lpString2=".msi") returned -1 [0051.054] lstrcmpiW (lpString1=".mef", lpString2=".msi") returned -1 [0051.054] lstrcmpiW (lpString1=".mft", lpString2=".msi") returned -1 [0051.054] lstrcmpiW (lpString1=".mfw", lpString2=".msi") returned -1 [0051.054] lstrcmpiW (lpString1=".mht", lpString2=".msi") returned -1 [0051.054] lstrcmpiW (lpString1=".mhtml", lpString2="WW.msi") returned -1 [0051.054] lstrcmpiW (lpString1=".mka", lpString2=".msi") returned -1 [0051.054] lstrcmpiW (lpString1=".mkidx", lpString2="WW.msi") returned -1 [0051.054] lstrcmpiW (lpString1=".mkv", lpString2=".msi") returned -1 [0051.054] lstrcmpiW (lpString1=".mos", lpString2=".msi") returned -1 [0051.054] lstrcmpiW (lpString1=".mov", lpString2=".msi") returned -1 [0051.054] lstrcmpiW (lpString1=".mp3", lpString2=".msi") returned -1 [0051.054] lstrcmpiW (lpString1=".mp4", lpString2=".msi") returned -1 [0051.054] lstrcmpiW (lpString1=".mpeg", lpString2="W.msi") returned -1 [0051.054] lstrcmpiW (lpString1=".mpg", lpString2=".msi") returned -1 [0051.054] lstrcmpiW (lpString1=".mpv", lpString2=".msi") returned -1 [0051.055] lstrcmpiW (lpString1=".mrw", lpString2=".msi") returned -1 [0051.055] lstrcmpiW (lpString1=".msg", lpString2=".msi") returned -1 [0051.055] lstrcmpiW (lpString1=".mxl", lpString2=".msi") returned 1 [0051.055] lstrcmpiW (lpString1=".myd", lpString2=".msi") returned 1 [0051.055] lstrcmpiW (lpString1=".myi", lpString2=".msi") returned 1 [0051.055] lstrcmpiW (lpString1=".nef", lpString2=".msi") returned 1 [0051.055] lstrcmpiW (lpString1=".nrw", lpString2=".msi") returned 1 [0051.055] lstrcmpiW (lpString1=".obj", lpString2=".msi") returned 1 [0051.055] lstrcmpiW (lpString1=".odb", lpString2=".msi") returned 1 [0051.055] lstrcmpiW (lpString1=".odc", lpString2=".msi") returned 1 [0051.055] lstrcmpiW (lpString1=".odm", lpString2=".msi") returned 1 [0051.055] lstrcmpiW (lpString1=".odp", lpString2=".msi") returned 1 [0051.055] lstrcmpiW (lpString1=".ods", lpString2=".msi") returned 1 [0051.055] lstrcmpiW (lpString1=".oft", lpString2=".msi") returned 1 [0051.055] lstrcmpiW (lpString1=".one", lpString2=".msi") returned 1 [0051.055] lstrcmpiW (lpString1=".onepkg", lpString2="2WW.msi") returned -1 [0051.055] lstrcmpiW (lpString1=".onetoc2", lpString2="32WW.msi") returned -1 [0051.055] lstrcmpiW (lpString1=".opt", lpString2=".msi") returned 1 [0051.055] lstrcmpiW (lpString1=".oqy", lpString2=".msi") returned 1 [0051.055] lstrcmpiW (lpString1=".orf", lpString2=".msi") returned 1 [0051.056] lstrcmpiW (lpString1=".p12", lpString2=".msi") returned 1 [0051.056] lstrcmpiW (lpString1=".p7b", lpString2=".msi") returned 1 [0051.056] lstrcmpiW (lpString1=".p7c", lpString2=".msi") returned 1 [0051.056] lstrcmpiW (lpString1=".pam", lpString2=".msi") returned 1 [0051.056] lstrcmpiW (lpString1=".pbm", lpString2=".msi") returned 1 [0051.056] lstrcmpiW (lpString1=".pct", lpString2=".msi") returned 1 [0051.056] lstrcmpiW (lpString1=".pcx", lpString2=".msi") returned 1 [0051.056] lstrcmpiW (lpString1=".pdd", lpString2=".msi") returned 1 [0051.056] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0051.056] lstrcmpiW (lpString1=".pdp", lpString2=".msi") returned 1 [0051.056] lstrcmpiW (lpString1=".pef", lpString2=".msi") returned 1 [0051.056] lstrcmpiW (lpString1=".pem", lpString2=".msi") returned 1 [0051.056] lstrcmpiW (lpString1=".pff", lpString2=".msi") returned 1 [0051.056] lstrcmpiW (lpString1=".pfm", lpString2=".msi") returned 1 [0051.056] lstrcmpiW (lpString1=".pfx", lpString2=".msi") returned 1 [0051.056] lstrcmpiW (lpString1=".pgm", lpString2=".msi") returned 1 [0051.056] lstrcmpiW (lpString1=".php", lpString2=".msi") returned 1 [0051.056] lstrcmpiW (lpString1=".php3", lpString2="W.msi") returned -1 [0051.056] lstrcmpiW (lpString1=".php4", lpString2="W.msi") returned -1 [0051.057] lstrcmpiW (lpString1=".php5", lpString2="W.msi") returned -1 [0051.057] lstrcmpiW (lpString1=".phtml", lpString2="WW.msi") returned -1 [0051.057] lstrcmpiW (lpString1=".pict", lpString2="W.msi") returned -1 [0051.057] lstrcmpiW (lpString1=".pl", lpString2="msi") returned -1 [0051.057] lstrcmpiW (lpString1=".pls", lpString2=".msi") returned 1 [0051.057] lstrcmpiW (lpString1=".pm", lpString2="msi") returned -1 [0051.057] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0051.057] lstrcmpiW (lpString1=".pnm", lpString2=".msi") returned 1 [0051.057] lstrcmpiW (lpString1=".pot", lpString2=".msi") returned 1 [0051.057] lstrcmpiW (lpString1=".potm", lpString2="W.msi") returned -1 [0051.057] lstrcmpiW (lpString1=".potx", lpString2="W.msi") returned -1 [0051.057] lstrcmpiW (lpString1=".ppa", lpString2=".msi") returned 1 [0051.057] lstrcmpiW (lpString1=".ppam", lpString2="W.msi") returned -1 [0051.057] lstrcmpiW (lpString1=".ppm", lpString2=".msi") returned 1 [0051.057] lstrcmpiW (lpString1=".pps", lpString2=".msi") returned 1 [0051.057] lstrcmpiW (lpString1=".ppsm", lpString2="W.msi") returned -1 [0051.057] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0051.057] lstrcmpiW (lpString1=".pptm", lpString2="W.msi") returned -1 [0051.058] lstrcmpiW (lpString1=".pptx", lpString2="W.msi") returned -1 [0051.058] lstrcmpiW (lpString1=".prn", lpString2=".msi") returned 1 [0051.058] lstrcmpiW (lpString1=".ps", lpString2="msi") returned -1 [0051.058] lstrcmpiW (lpString1=".psb", lpString2=".msi") returned 1 [0051.058] lstrcmpiW (lpString1=".psd", lpString2=".msi") returned 1 [0051.058] lstrcmpiW (lpString1=".pst", lpString2=".msi") returned 1 [0051.058] lstrcmpiW (lpString1=".ptx", lpString2=".msi") returned 1 [0051.058] lstrcmpiW (lpString1=".pub", lpString2=".msi") returned 1 [0051.058] lstrcmpiW (lpString1=".pwm", lpString2=".msi") returned 1 [0051.058] lstrcmpiW (lpString1=".pxr", lpString2=".msi") returned 1 [0051.058] lstrcmpiW (lpString1=".py", lpString2="msi") returned -1 [0051.058] lstrcmpiW (lpString1=".qt", lpString2="msi") returned -1 [0051.058] lstrcmpiW (lpString1=".r3d", lpString2=".msi") returned 1 [0051.058] lstrcmpiW (lpString1=".raf", lpString2=".msi") returned 1 [0051.058] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0051.059] lstrcmpiW (lpString1=".raw", lpString2=".msi") returned 1 [0051.059] lstrcmpiW (lpString1=".rdf", lpString2=".msi") returned 1 [0051.059] FindNextFileW (in: hFindFile=0x4011178, lpFindFileData=0x302f58c | out: lpFindFileData=0x302f58c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x16771fb0, ftCreationTime.dwHighDateTime=0x1cb12b4, ftLastAccessTime.dwLowDateTime=0x16771fb0, ftLastAccessTime.dwHighDateTime=0x1cb12b4, ftLastWriteTime.dwLowDateTime=0x46536400, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x10b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32WW.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0052.406] FindNextFileW (in: hFindFile=0x40112b8, lpFindFileData=0x302f310 | out: lpFindFileData=0x302f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.420] FindNextFileW (in: hFindFile=0x40112b8, lpFindFileData=0x302f310 | out: lpFindFileData=0x302f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AFTRNOON", cAlternateFileName="")) returned 1 [0058.356] FindNextFileW (in: hFindFile=0x40112f8, lpFindFileData=0x302f094 | out: lpFindFileData=0x302f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9fbd8be5, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaab41c3c, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9fdc8b88, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0058.356] FindNextFileW (in: hFindFile=0x40112f8, lpFindFileData=0x302f094 | out: lpFindFileData=0x302f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x710d74af, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x710d74af, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1964f3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb08f, dwReserved0=0x0, dwReserved1=0x0, cFileName="16_9-frame-background.png", cAlternateFileName="")) returned 1 [0058.357] FindClose (in: hFindFile=0x40112f8 | out: hFindFile=0x40112f8) returned 1 [0058.358] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x38b0070 | out: hHeap=0x5f0000) returned 1 [0058.407] FindNextFileW (in: hFindFile=0x4011238, lpFindFileData=0x302f310 | out: lpFindFileData=0x302f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e96ab6a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6e96ab6a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x12ea, dwReserved0=0x0, dwReserved1=0x0, cFileName="menu_style_default_Thumbnail.png", cAlternateFileName="")) returned 1 Thread: id = 17 os_tid = 0x570 [0048.372] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10000) returned 0x38c0078 [0048.373] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10000) returned 0x38d0080 [0048.374] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x646ac0 [0048.374] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x6) returned 0x646f60 [0048.374] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x646ad8 [0048.374] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x100000) returned 0x3bb0020 [0048.374] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x646af0 [0048.374] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x646af0, Size=0x20) returned 0x63c7a8 [0048.374] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x646af0 [0048.374] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x646af0, Size=0x20) returned 0x63c758 [0048.375] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0048.375] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0048.375] Wow64DisableWow64FsRedirection (in: OldValue=0x316ff58 | out: OldValue=0x316ff58*=0x0) returned 1 [0048.375] lstrlenW (lpString="kernel32.dll") returned 12 [0048.375] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63c7a8 | out: hHeap=0x5f0000) returned 1 [0048.375] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0048.375] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63c758 | out: hHeap=0x5f0000) returned 1 [0048.375] Sleep (dwMilliseconds=0x64) [0048.568] lstrlenW (lpString="BCD") returned 3 [0048.568] CreateFileW (lpFileName="C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0048.568] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0048.569] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0048.569] lstrlenW (lpString=".doc") returned 4 [0048.569] lstrcmpiW (lpString1=".doc", lpString2="\\BCD") returned -1 [0048.569] lstrlenW (lpString=".docx") returned 5 [0048.569] lstrcmpiW (lpString1=".docx", lpString2="t\\BCD") returned -1 [0048.569] lstrlenW (lpString=".pdf") returned 4 [0048.569] lstrcmpiW (lpString1=".pdf", lpString2="\\BCD") returned -1 [0048.569] lstrlenW (lpString=".xls") returned 4 [0048.569] lstrcmpiW (lpString1=".xls", lpString2="\\BCD") returned -1 [0048.569] lstrlenW (lpString=".xlsx") returned 5 [0048.569] lstrcmpiW (lpString1=".xlsx", lpString2="t\\BCD") returned -1 [0048.569] lstrlenW (lpString=".ppt") returned 4 [0048.569] lstrcmpiW (lpString1=".ppt", lpString2="\\BCD") returned -1 [0048.569] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0048.569] lstrlenW (lpString=".zip") returned 4 [0048.569] lstrcmpiW (lpString1=".zip", lpString2="\\BCD") returned -1 [0048.569] lstrlenW (lpString=".rar") returned 4 [0048.569] lstrcmpiW (lpString1=".rar", lpString2="\\BCD") returned -1 [0048.569] lstrlenW (lpString=".bz2") returned 4 [0048.569] lstrcmpiW (lpString1=".bz2", lpString2="\\BCD") returned -1 [0048.569] lstrlenW (lpString=".7z") returned 3 [0048.569] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0048.569] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0048.569] lstrlenW (lpString=".dbf") returned 4 [0048.569] lstrcmpiW (lpString1=".dbf", lpString2="\\BCD") returned -1 [0048.569] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0048.569] lstrlenW (lpString=".1cd") returned 4 [0048.570] lstrcmpiW (lpString1=".1cd", lpString2="\\BCD") returned -1 [0048.570] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0048.570] lstrlenW (lpString=".jpg") returned 4 [0048.570] lstrcmpiW (lpString1=".jpg", lpString2="\\BCD") returned -1 [0048.570] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0048.570] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0048.570] lstrlenW (lpString=".doc") returned 4 [0048.570] lstrcmpiW (lpString1=".doc", lpString2="\\BCD") returned -1 [0048.570] lstrlenW (lpString=".docx") returned 5 [0048.570] lstrcmpiW (lpString1=".docx", lpString2="t\\BCD") returned -1 [0048.570] lstrlenW (lpString=".pdf") returned 4 [0048.570] lstrcmpiW (lpString1=".pdf", lpString2="\\BCD") returned -1 [0048.570] lstrlenW (lpString=".xls") returned 4 [0048.570] lstrcmpiW (lpString1=".xls", lpString2="\\BCD") returned -1 [0048.570] lstrlenW (lpString=".xlsx") returned 5 [0048.570] lstrcmpiW (lpString1=".xlsx", lpString2="t\\BCD") returned -1 [0048.570] lstrlenW (lpString=".ppt") returned 4 [0048.570] lstrcmpiW (lpString1=".ppt", lpString2="\\BCD") returned -1 [0048.570] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0048.570] lstrlenW (lpString=".zip") returned 4 [0048.570] lstrcmpiW (lpString1=".zip", lpString2="\\BCD") returned -1 [0048.570] lstrlenW (lpString=".rar") returned 4 [0048.570] lstrcmpiW (lpString1=".rar", lpString2="\\BCD") returned -1 [0048.570] lstrlenW (lpString=".bz2") returned 4 [0048.570] lstrcmpiW (lpString1=".bz2", lpString2="\\BCD") returned -1 [0048.570] lstrlenW (lpString=".7z") returned 3 [0048.571] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0048.571] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0048.571] lstrlenW (lpString=".dbf") returned 4 [0048.571] lstrcmpiW (lpString1=".dbf", lpString2="\\BCD") returned -1 [0048.571] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0048.571] lstrlenW (lpString=".1cd") returned 4 [0048.571] lstrcmpiW (lpString1=".1cd", lpString2="\\BCD") returned -1 [0048.571] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0048.571] lstrlenW (lpString=".jpg") returned 4 [0048.571] lstrcmpiW (lpString1=".jpg", lpString2="\\BCD") returned -1 [0048.571] lstrcmpiW (lpString1=".LOG1", lpString2=".bmd") returned 1 [0048.571] lstrlenW (lpString="BCD.LOG1") returned 8 [0048.571] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0048.572] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x316ff1c | out: lpFileSize=0x316ff1c*=0) returned 1 [0048.572] CloseHandle (hObject=0x188) returned 1 [0048.572] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0048.572] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0048.572] lstrlenW (lpString=".doc") returned 4 [0048.572] lstrcmpiW (lpString1=".doc", lpString2="LOG1") returned -1 [0048.572] lstrlenW (lpString=".docx") returned 5 [0048.572] lstrcmpiW (lpString1=".docx", lpString2=".LOG1") returned -1 [0048.572] lstrlenW (lpString=".pdf") returned 4 [0048.572] lstrcmpiW (lpString1=".pdf", lpString2="LOG1") returned -1 [0048.572] lstrlenW (lpString=".xls") returned 4 [0048.572] lstrcmpiW (lpString1=".xls", lpString2="LOG1") returned -1 [0048.572] lstrlenW (lpString=".xlsx") returned 5 [0048.572] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG1") returned 1 [0048.572] lstrlenW (lpString=".ppt") returned 4 [0048.572] lstrcmpiW (lpString1=".ppt", lpString2="LOG1") returned -1 [0048.572] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0048.572] lstrlenW (lpString=".zip") returned 4 [0048.572] lstrcmpiW (lpString1=".zip", lpString2="LOG1") returned -1 [0048.572] lstrlenW (lpString=".rar") returned 4 [0048.572] lstrcmpiW (lpString1=".rar", lpString2="LOG1") returned -1 [0048.572] lstrlenW (lpString=".bz2") returned 4 [0048.572] lstrcmpiW (lpString1=".bz2", lpString2="LOG1") returned -1 [0048.572] lstrlenW (lpString=".7z") returned 3 [0048.572] lstrcmpiW (lpString1=".7z", lpString2="OG1") returned -1 [0048.573] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0048.573] lstrlenW (lpString=".dbf") returned 4 [0048.573] lstrcmpiW (lpString1=".dbf", lpString2="LOG1") returned -1 [0048.573] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0048.573] lstrlenW (lpString=".1cd") returned 4 [0048.573] lstrcmpiW (lpString1=".1cd", lpString2="LOG1") returned -1 [0048.573] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0048.573] lstrlenW (lpString=".jpg") returned 4 [0048.573] lstrcmpiW (lpString1=".jpg", lpString2="LOG1") returned -1 [0048.573] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0048.573] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0048.573] lstrlenW (lpString=".doc") returned 4 [0048.573] lstrcmpiW (lpString1=".doc", lpString2="LOG1") returned -1 [0048.573] lstrlenW (lpString=".docx") returned 5 [0048.573] lstrcmpiW (lpString1=".docx", lpString2=".LOG1") returned -1 [0048.573] lstrlenW (lpString=".pdf") returned 4 [0048.573] lstrcmpiW (lpString1=".pdf", lpString2="LOG1") returned -1 [0048.573] lstrlenW (lpString=".xls") returned 4 [0048.573] lstrcmpiW (lpString1=".xls", lpString2="LOG1") returned -1 [0048.573] lstrlenW (lpString=".xlsx") returned 5 [0048.573] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG1") returned 1 [0048.573] lstrlenW (lpString=".ppt") returned 4 [0048.573] lstrcmpiW (lpString1=".ppt", lpString2="LOG1") returned -1 [0048.573] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0048.573] lstrlenW (lpString=".zip") returned 4 [0048.573] lstrcmpiW (lpString1=".zip", lpString2="LOG1") returned -1 [0048.573] lstrlenW (lpString=".rar") returned 4 [0048.573] lstrcmpiW (lpString1=".rar", lpString2="LOG1") returned -1 [0048.573] lstrlenW (lpString=".bz2") returned 4 [0048.573] lstrcmpiW (lpString1=".bz2", lpString2="LOG1") returned -1 [0048.573] lstrlenW (lpString=".7z") returned 3 [0048.573] lstrcmpiW (lpString1=".7z", lpString2="OG1") returned -1 [0048.573] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0048.574] lstrlenW (lpString=".dbf") returned 4 [0048.574] lstrcmpiW (lpString1=".dbf", lpString2="LOG1") returned -1 [0048.574] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0048.574] lstrlenW (lpString=".1cd") returned 4 [0048.574] lstrcmpiW (lpString1=".1cd", lpString2="LOG1") returned -1 [0048.574] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0048.574] lstrlenW (lpString=".jpg") returned 4 [0048.574] lstrcmpiW (lpString1=".jpg", lpString2="LOG1") returned -1 [0048.574] lstrcmpiW (lpString1=".LOG2", lpString2=".bmd") returned 1 [0048.574] lstrlenW (lpString="BCD.LOG2") returned 8 [0048.574] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0048.574] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x316ff1c | out: lpFileSize=0x316ff1c*=0) returned 1 [0048.574] CloseHandle (hObject=0x188) returned 1 [0048.574] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0048.574] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0048.574] lstrlenW (lpString=".doc") returned 4 [0048.574] lstrcmpiW (lpString1=".doc", lpString2="LOG2") returned -1 [0048.574] lstrlenW (lpString=".docx") returned 5 [0048.574] lstrcmpiW (lpString1=".docx", lpString2=".LOG2") returned -1 [0048.575] lstrlenW (lpString=".pdf") returned 4 [0048.575] lstrcmpiW (lpString1=".pdf", lpString2="LOG2") returned -1 [0048.575] lstrlenW (lpString=".xls") returned 4 [0048.575] lstrcmpiW (lpString1=".xls", lpString2="LOG2") returned -1 [0048.575] lstrlenW (lpString=".xlsx") returned 5 [0048.575] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG2") returned 1 [0048.575] lstrlenW (lpString=".ppt") returned 4 [0048.575] lstrcmpiW (lpString1=".ppt", lpString2="LOG2") returned -1 [0048.575] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0048.575] lstrlenW (lpString=".zip") returned 4 [0048.575] lstrcmpiW (lpString1=".zip", lpString2="LOG2") returned -1 [0048.575] lstrlenW (lpString=".rar") returned 4 [0048.575] lstrcmpiW (lpString1=".rar", lpString2="LOG2") returned -1 [0048.575] lstrlenW (lpString=".bz2") returned 4 [0048.575] lstrcmpiW (lpString1=".bz2", lpString2="LOG2") returned -1 [0048.575] lstrlenW (lpString=".7z") returned 3 [0048.575] lstrcmpiW (lpString1=".7z", lpString2="OG2") returned -1 [0048.575] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0048.575] lstrlenW (lpString=".dbf") returned 4 [0048.575] lstrcmpiW (lpString1=".dbf", lpString2="LOG2") returned -1 [0048.575] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0048.575] lstrlenW (lpString=".1cd") returned 4 [0048.575] lstrcmpiW (lpString1=".1cd", lpString2="LOG2") returned -1 [0048.575] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0048.575] lstrlenW (lpString=".jpg") returned 4 [0048.575] lstrcmpiW (lpString1=".jpg", lpString2="LOG2") returned -1 [0048.575] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0048.575] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0048.575] lstrlenW (lpString=".doc") returned 4 [0048.575] lstrcmpiW (lpString1=".doc", lpString2="LOG2") returned -1 [0048.575] lstrlenW (lpString=".docx") returned 5 [0048.575] lstrcmpiW (lpString1=".docx", lpString2=".LOG2") returned -1 [0048.575] lstrlenW (lpString=".pdf") returned 4 [0048.576] lstrcmpiW (lpString1=".pdf", lpString2="LOG2") returned -1 [0048.576] lstrlenW (lpString=".xls") returned 4 [0048.576] lstrcmpiW (lpString1=".xls", lpString2="LOG2") returned -1 [0048.576] lstrlenW (lpString=".xlsx") returned 5 [0048.576] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG2") returned 1 [0048.576] lstrlenW (lpString=".ppt") returned 4 [0048.576] lstrcmpiW (lpString1=".ppt", lpString2="LOG2") returned -1 [0048.576] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0048.576] lstrlenW (lpString=".zip") returned 4 [0048.576] lstrcmpiW (lpString1=".zip", lpString2="LOG2") returned -1 [0048.576] lstrlenW (lpString=".rar") returned 4 [0048.576] lstrcmpiW (lpString1=".rar", lpString2="LOG2") returned -1 [0048.576] lstrlenW (lpString=".bz2") returned 4 [0048.576] lstrcmpiW (lpString1=".bz2", lpString2="LOG2") returned -1 [0048.576] lstrlenW (lpString=".7z") returned 3 [0048.576] lstrcmpiW (lpString1=".7z", lpString2="OG2") returned -1 [0048.576] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0048.576] lstrlenW (lpString=".dbf") returned 4 [0048.576] lstrcmpiW (lpString1=".dbf", lpString2="LOG2") returned -1 [0048.576] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0048.576] lstrlenW (lpString=".1cd") returned 4 [0048.576] lstrcmpiW (lpString1=".1cd", lpString2="LOG2") returned -1 [0048.576] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0048.576] lstrlenW (lpString=".jpg") returned 4 [0048.576] lstrcmpiW (lpString1=".jpg", lpString2="LOG2") returned -1 [0048.576] lstrcmpiW (lpString1=".mui", lpString2=".bmd") returned 1 [0048.579] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0048.579] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0048.579] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x316ff1c | out: lpFileSize=0x316ff1c*=89168) returned 1 [0048.579] CloseHandle (hObject=0x194) returned 1 [0048.579] GetFileAttributesW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui")) returned 0x20 [0048.579] GetFileAttributesW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0048.580] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0048.580] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0048.580] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0048.580] lstrlenW (lpString=".doc") returned 4 [0048.580] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0048.580] lstrlenW (lpString=".docx") returned 5 [0048.580] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0048.580] lstrlenW (lpString=".pdf") returned 4 [0048.580] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0048.580] lstrlenW (lpString=".xls") returned 4 [0048.580] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0048.580] lstrlenW (lpString=".xlsx") returned 5 [0048.580] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0048.580] lstrlenW (lpString=".ppt") returned 4 [0048.580] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0048.580] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0048.580] lstrlenW (lpString=".zip") returned 4 [0048.580] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0048.580] lstrlenW (lpString=".rar") returned 4 [0048.580] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0048.580] lstrlenW (lpString=".bz2") returned 4 [0048.580] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0048.580] lstrlenW (lpString=".7z") returned 3 [0048.580] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0048.581] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0048.581] lstrlenW (lpString=".dbf") returned 4 [0048.581] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0048.581] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0048.581] lstrlenW (lpString=".1cd") returned 4 [0048.581] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0048.581] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0048.581] lstrlenW (lpString=".jpg") returned 4 [0048.581] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0048.581] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0048.581] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0048.581] lstrlenW (lpString=".doc") returned 4 [0048.581] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0048.581] lstrlenW (lpString=".docx") returned 5 [0048.581] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0048.581] lstrlenW (lpString=".pdf") returned 4 [0048.581] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0048.581] lstrlenW (lpString=".xls") returned 4 [0048.581] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0048.581] lstrlenW (lpString=".xlsx") returned 5 [0048.581] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0048.581] lstrlenW (lpString=".ppt") returned 4 [0048.581] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0048.581] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0048.581] lstrlenW (lpString=".zip") returned 4 [0048.582] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0048.582] lstrlenW (lpString=".rar") returned 4 [0048.582] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0048.582] lstrlenW (lpString=".bz2") returned 4 [0048.582] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0048.582] lstrlenW (lpString=".7z") returned 3 [0048.582] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0048.582] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0048.582] lstrlenW (lpString=".dbf") returned 4 [0048.582] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0048.582] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0048.582] lstrlenW (lpString=".1cd") returned 4 [0048.582] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0048.582] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0048.582] lstrlenW (lpString=".jpg") returned 4 [0048.582] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0048.582] lstrcmpiW (lpString1=".mui", lpString2=".bmd") returned 1 [0048.582] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0048.582] CreateFileW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0048.583] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x316ff1c | out: lpFileSize=0x316ff1c*=87616) returned 1 [0048.583] CloseHandle (hObject=0x194) returned 1 [0048.584] GetFileAttributesW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui")) returned 0x20 [0048.585] GetFileAttributesW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0048.585] CreateFileW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0048.585] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0048.585] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0048.585] lstrlenW (lpString=".doc") returned 4 [0048.585] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0048.585] lstrlenW (lpString=".docx") returned 5 [0048.585] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0048.585] lstrlenW (lpString=".pdf") returned 4 [0048.585] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0048.585] lstrlenW (lpString=".xls") returned 4 [0048.585] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0048.585] lstrlenW (lpString=".xlsx") returned 5 [0048.585] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0048.585] lstrlenW (lpString=".ppt") returned 4 [0048.585] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0048.585] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0048.585] lstrlenW (lpString=".zip") returned 4 [0048.585] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0048.585] lstrlenW (lpString=".rar") returned 4 [0048.585] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0048.585] lstrlenW (lpString=".bz2") returned 4 [0048.585] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0048.585] lstrlenW (lpString=".7z") returned 3 [0048.585] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0048.585] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0048.585] lstrlenW (lpString=".dbf") returned 4 [0048.586] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0048.586] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0048.586] lstrlenW (lpString=".1cd") returned 4 [0048.586] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0048.586] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0048.586] lstrlenW (lpString=".jpg") returned 4 [0048.586] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0048.586] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0048.586] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0048.586] lstrlenW (lpString=".doc") returned 4 [0048.586] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0048.586] lstrlenW (lpString=".docx") returned 5 [0048.586] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0048.586] lstrlenW (lpString=".pdf") returned 4 [0048.586] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0048.586] lstrlenW (lpString=".xls") returned 4 [0048.586] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0048.586] lstrlenW (lpString=".xlsx") returned 5 [0048.586] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0048.586] lstrlenW (lpString=".ppt") returned 4 [0048.586] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0048.586] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0048.586] lstrlenW (lpString=".zip") returned 4 [0048.586] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0048.586] lstrlenW (lpString=".rar") returned 4 [0048.586] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0048.587] lstrlenW (lpString=".bz2") returned 4 [0048.587] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0048.587] lstrlenW (lpString=".7z") returned 3 [0048.587] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0048.587] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0048.587] lstrlenW (lpString=".dbf") returned 4 [0048.587] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0048.587] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0048.587] lstrlenW (lpString=".1cd") returned 4 [0048.587] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0048.587] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0048.587] lstrlenW (lpString=".jpg") returned 4 [0048.587] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0048.587] lstrcmpiW (lpString1=".mui", lpString2=".bmd") returned 1 [0048.587] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0048.587] CreateFileW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0048.587] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x316ff1c | out: lpFileSize=0x316ff1c*=91712) returned 1 [0048.588] CloseHandle (hObject=0x194) returned 1 [0048.588] GetFileAttributesW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui")) returned 0x20 [0048.588] GetFileAttributesW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0048.588] CreateFileW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0048.588] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0048.588] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0048.588] lstrlenW (lpString=".doc") returned 4 [0048.588] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0048.589] lstrlenW (lpString=".docx") returned 5 [0048.589] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0048.589] lstrlenW (lpString=".pdf") returned 4 [0048.589] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0048.589] lstrlenW (lpString=".xls") returned 4 [0048.589] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0048.589] lstrlenW (lpString=".xlsx") returned 5 [0048.589] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0048.589] lstrlenW (lpString=".ppt") returned 4 [0048.589] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0048.589] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0048.589] lstrlenW (lpString=".zip") returned 4 [0048.589] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0048.589] lstrlenW (lpString=".rar") returned 4 [0048.589] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0048.589] lstrlenW (lpString=".bz2") returned 4 [0048.589] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0048.589] lstrlenW (lpString=".7z") returned 3 [0048.589] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0048.589] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0048.589] lstrlenW (lpString=".dbf") returned 4 [0048.589] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0048.589] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0048.589] lstrlenW (lpString=".1cd") returned 4 [0048.589] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0048.589] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0048.589] lstrlenW (lpString=".jpg") returned 4 [0048.590] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0048.590] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0048.590] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0048.590] lstrlenW (lpString=".doc") returned 4 [0048.590] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0048.590] lstrlenW (lpString=".docx") returned 5 [0048.590] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0048.590] lstrlenW (lpString=".pdf") returned 4 [0048.590] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0048.590] lstrlenW (lpString=".xls") returned 4 [0048.590] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0048.590] lstrlenW (lpString=".xlsx") returned 5 [0048.590] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0048.590] lstrlenW (lpString=".ppt") returned 4 [0048.590] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0048.590] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0048.590] lstrlenW (lpString=".zip") returned 4 [0048.590] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0048.590] lstrlenW (lpString=".rar") returned 4 [0048.590] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0048.590] lstrlenW (lpString=".bz2") returned 4 [0048.590] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0048.590] lstrlenW (lpString=".7z") returned 3 [0048.590] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0048.590] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0048.591] lstrlenW (lpString=".dbf") returned 4 [0048.591] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0048.591] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0048.591] lstrlenW (lpString=".1cd") returned 4 [0048.591] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0048.591] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0048.591] lstrlenW (lpString=".jpg") returned 4 [0048.591] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0048.591] lstrcmpiW (lpString1=".mui", lpString2=".bmd") returned 1 [0048.591] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0048.591] CreateFileW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0048.591] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x316ff1c | out: lpFileSize=0x316ff1c*=94800) returned 1 [0048.591] CloseHandle (hObject=0x194) returned 1 [0048.591] GetFileAttributesW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui")) returned 0x20 [0048.592] GetFileAttributesW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0048.592] CreateFileW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0048.592] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0048.592] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0048.592] lstrlenW (lpString=".doc") returned 4 [0048.592] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0048.592] lstrlenW (lpString=".docx") returned 5 [0048.592] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0048.592] lstrlenW (lpString=".pdf") returned 4 [0048.592] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0048.592] lstrlenW (lpString=".xls") returned 4 [0048.592] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0048.592] lstrlenW (lpString=".xlsx") returned 5 [0048.592] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0048.592] lstrlenW (lpString=".ppt") returned 4 [0048.592] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0048.592] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0048.592] lstrlenW (lpString=".zip") returned 4 [0048.592] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0048.592] lstrlenW (lpString=".rar") returned 4 [0048.592] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0048.592] lstrlenW (lpString=".bz2") returned 4 [0048.592] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0048.593] lstrlenW (lpString=".7z") returned 3 [0048.593] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0048.594] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\chs_boot.ttf.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\boot\\fonts\\chs_boot.ttf.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0 [0048.952] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\cht_boot.ttf.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\boot\\fonts\\cht_boot.ttf.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0 [0048.953] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 1 [0048.953] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0048.954] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fc6c | out: lpNewFilePointer=0x0) returned 1 [0048.954] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.954] ReadFile (in: hFile=0x164, lpBuffer=0x3bb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x316fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bb0058*, lpNumberOfBytesRead=0x316fc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.703] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0xcbc00, lpNewFilePointer=0x0, dwMoveMethod=0x316fc2c | out: lpNewFilePointer=0x0) returned 1 [0049.703] ReadFile (in: hFile=0x164, lpBuffer=0x3bf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x316fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bf0058*, lpNumberOfBytesRead=0x316fc38*=0x40000, lpOverlapped=0x0) returned 1 [0050.995] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x316fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0050.995] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x223400, lpNewFilePointer=0x0, dwMoveMethod=0x316fc2c | out: lpNewFilePointer=0x0) returned 1 [0050.995] ReadFile (in: hFile=0x164, lpBuffer=0x3c30058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x316fc38, lpOverlapped=0x0 | out: lpBuffer=0x3c30058*, lpNumberOfBytesRead=0x316fc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.221] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.222] WriteFile (in: hFile=0x164, lpBuffer=0x3bb0020*, nNumberOfBytesToWrite=0xc010e, lpNumberOfBytesWritten=0x316fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3bb0020*, lpNumberOfBytesWritten=0x316fcb0*=0xc010e, lpOverlapped=0x0) returned 1 [0051.577] SetEndOfFile (hFile=0x164) returned 1 [0051.577] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x40c2090 [0051.580] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fc7c | out: lpNewFilePointer=0x0) returned 1 [0051.581] WriteFile (in: hFile=0x164, lpBuffer=0x40c2090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x316fc88, lpOverlapped=0x0 | out: lpBuffer=0x40c2090*, lpNumberOfBytesWritten=0x316fc88*=0x40000, lpOverlapped=0x0) returned 1 [0051.583] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0xcbc00, lpNewFilePointer=0x0, dwMoveMethod=0x316fc7c | out: lpNewFilePointer=0x0) returned 1 [0051.583] WriteFile (in: hFile=0x164, lpBuffer=0x40c2090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x316fc88, lpOverlapped=0x0 | out: lpBuffer=0x40c2090*, lpNumberOfBytesWritten=0x316fc88*=0x40000, lpOverlapped=0x0) returned 1 [0051.591] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x223400, lpNewFilePointer=0x0, dwMoveMethod=0x316fc7c | out: lpNewFilePointer=0x0) returned 1 [0051.591] WriteFile (in: hFile=0x164, lpBuffer=0x40c2090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x316fc88, lpOverlapped=0x0 | out: lpBuffer=0x40c2090*, lpNumberOfBytesWritten=0x316fc88*=0x40000, lpOverlapped=0x0) returned 1 [0051.595] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x40c2090 | out: hHeap=0x5f0000) returned 1 [0051.595] CloseHandle (hObject=0x164) returned 1 [0052.977] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0052.977] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0052.977] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0052.977] lstrlenW (lpString=".doc") returned 4 [0052.977] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0052.977] lstrlenW (lpString=".docx") returned 5 [0052.977] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0052.977] lstrlenW (lpString=".pdf") returned 4 [0052.977] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0052.977] lstrlenW (lpString=".xls") returned 4 [0052.977] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0052.977] lstrlenW (lpString=".xlsx") returned 5 [0052.977] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0052.977] lstrlenW (lpString=".ppt") returned 4 [0052.977] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0052.977] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0052.977] lstrlenW (lpString=".zip") returned 4 [0052.977] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0052.978] lstrlenW (lpString=".rar") returned 4 [0052.978] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0052.978] lstrlenW (lpString=".bz2") returned 4 [0052.978] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0052.978] lstrlenW (lpString=".7z") returned 3 [0052.978] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0052.978] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0052.978] lstrlenW (lpString=".dbf") returned 4 [0052.978] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0052.978] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0052.978] lstrlenW (lpString=".1cd") returned 4 [0052.978] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0052.978] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0052.978] lstrlenW (lpString=".jpg") returned 4 [0052.978] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0052.978] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0052.978] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0052.978] lstrlenW (lpString=".doc") returned 4 [0052.978] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0052.978] lstrlenW (lpString=".docx") returned 5 [0052.978] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0052.978] lstrlenW (lpString=".pdf") returned 4 [0052.978] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0052.978] lstrlenW (lpString=".xls") returned 4 [0052.978] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0052.978] lstrlenW (lpString=".xlsx") returned 5 [0052.978] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0052.978] lstrlenW (lpString=".ppt") returned 4 [0052.978] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0052.978] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0052.978] lstrlenW (lpString=".zip") returned 4 [0052.978] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0052.978] lstrlenW (lpString=".rar") returned 4 [0052.978] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0052.979] lstrlenW (lpString=".bz2") returned 4 [0052.979] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0052.979] lstrlenW (lpString=".7z") returned 3 [0052.979] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0052.979] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0052.979] lstrlenW (lpString=".dbf") returned 4 [0052.979] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0052.979] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0052.979] lstrlenW (lpString=".1cd") returned 4 [0052.979] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0052.979] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0052.979] lstrlenW (lpString=".jpg") returned 4 [0052.979] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0052.979] lstrcmpiW (lpString1=".cab", lpString2=".bmd") returned 1 [0052.979] lstrlenW (lpString="PubLR.cab") returned 9 [0052.979] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0052.979] GetFileSizeEx (in: hFile=0x164, lpFileSize=0x316ff1c | out: lpFileSize=0x316ff1c*=9958388) returned 1 [0052.979] CloseHandle (hObject=0x164) returned 1 [0052.979] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab")) returned 0x2020 [0052.980] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0052.980] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 1 [0052.980] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0052.980] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fc6c | out: lpNewFilePointer=0x0) returned 1 [0052.980] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fc2c | out: lpNewFilePointer=0x0) returned 1 [0052.980] ReadFile (in: hFile=0x164, lpBuffer=0x3bb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x316fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bb0058*, lpNumberOfBytesRead=0x316fc38*=0x40000, lpOverlapped=0x0) returned 1 [0053.139] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x32a6a6, lpNewFilePointer=0x0, dwMoveMethod=0x316fc2c | out: lpNewFilePointer=0x0) returned 1 [0053.139] ReadFile (in: hFile=0x164, lpBuffer=0x3bf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x316fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bf0058*, lpNumberOfBytesRead=0x316fc38*=0x40000, lpOverlapped=0x0) returned 1 [0053.223] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x316fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0053.224] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x93f3f4, lpNewFilePointer=0x0, dwMoveMethod=0x316fc2c | out: lpNewFilePointer=0x0) returned 1 [0053.224] ReadFile (in: hFile=0x164, lpBuffer=0x3c30058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x316fc38, lpOverlapped=0x0 | out: lpBuffer=0x3c30058*, lpNumberOfBytesRead=0x316fc38*=0x40000, lpOverlapped=0x0) returned 1 [0053.297] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.297] WriteFile (in: hFile=0x164, lpBuffer=0x3bb0020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x316fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3bb0020*, lpNumberOfBytesWritten=0x316fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0053.458] SetEndOfFile (hFile=0x164) returned 1 [0053.458] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x40a2098 [0053.461] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fc7c | out: lpNewFilePointer=0x0) returned 1 [0053.461] WriteFile (in: hFile=0x164, lpBuffer=0x40a2098*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x316fc88, lpOverlapped=0x0 | out: lpBuffer=0x40a2098*, lpNumberOfBytesWritten=0x316fc88*=0x40000, lpOverlapped=0x0) returned 1 [0053.463] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x32a6a6, lpNewFilePointer=0x0, dwMoveMethod=0x316fc7c | out: lpNewFilePointer=0x0) returned 1 [0053.463] WriteFile (in: hFile=0x164, lpBuffer=0x40a2098*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x316fc88, lpOverlapped=0x0 | out: lpBuffer=0x40a2098*, lpNumberOfBytesWritten=0x316fc88*=0x40000, lpOverlapped=0x0) returned 1 [0053.468] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x93f3f4, lpNewFilePointer=0x0, dwMoveMethod=0x316fc7c | out: lpNewFilePointer=0x0) returned 1 [0053.468] WriteFile (in: hFile=0x164, lpBuffer=0x40a2098*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x316fc88, lpOverlapped=0x0 | out: lpBuffer=0x40a2098*, lpNumberOfBytesWritten=0x316fc88*=0x40000, lpOverlapped=0x0) returned 1 [0053.473] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x40a2098 | out: hHeap=0x5f0000) returned 1 [0053.473] CloseHandle (hObject=0x164) returned 1 [0056.324] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0056.324] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0056.324] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0056.324] lstrlenW (lpString=".doc") returned 4 [0056.324] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0056.324] lstrlenW (lpString=".docx") returned 5 [0056.325] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0056.325] lstrlenW (lpString=".pdf") returned 4 [0056.325] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0056.325] lstrlenW (lpString=".xls") returned 4 [0056.325] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0056.325] lstrlenW (lpString=".xlsx") returned 5 [0056.325] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0056.325] lstrlenW (lpString=".ppt") returned 4 [0056.325] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0056.325] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0056.325] lstrlenW (lpString=".zip") returned 4 [0056.325] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0056.325] lstrlenW (lpString=".rar") returned 4 [0056.325] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0056.325] lstrlenW (lpString=".bz2") returned 4 [0056.325] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0056.325] lstrlenW (lpString=".7z") returned 3 [0056.325] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0056.325] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0056.325] lstrlenW (lpString=".dbf") returned 4 [0056.325] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0056.325] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0056.325] lstrlenW (lpString=".1cd") returned 4 [0056.325] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0056.325] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0056.325] lstrlenW (lpString=".jpg") returned 4 [0056.325] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0056.326] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0056.326] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0056.326] lstrlenW (lpString=".doc") returned 4 [0056.326] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0056.326] lstrlenW (lpString=".docx") returned 5 [0056.326] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0056.326] lstrlenW (lpString=".pdf") returned 4 [0056.326] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0056.326] lstrlenW (lpString=".xls") returned 4 [0056.326] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0056.326] lstrlenW (lpString=".xlsx") returned 5 [0056.326] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0056.326] lstrlenW (lpString=".ppt") returned 4 [0056.326] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0056.326] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0056.326] lstrlenW (lpString=".zip") returned 4 [0056.326] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0056.326] lstrlenW (lpString=".rar") returned 4 [0056.326] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0056.326] lstrlenW (lpString=".bz2") returned 4 [0056.326] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0056.326] lstrlenW (lpString=".7z") returned 3 [0056.326] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0056.326] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0056.326] lstrlenW (lpString=".dbf") returned 4 [0056.326] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0056.326] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0056.326] lstrlenW (lpString=".1cd") returned 4 [0056.326] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0056.326] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0056.326] lstrlenW (lpString=".jpg") returned 4 [0056.326] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0056.327] lstrcmpiW (lpString1=".cab", lpString2=".bmd") returned 1 [0056.327] lstrlenW (lpString="Proof.cab") returned 9 [0056.327] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0056.327] GetFileSizeEx (in: hFile=0x164, lpFileSize=0x316ff1c | out: lpFileSize=0x316ff1c*=11482605) returned 1 [0056.327] CloseHandle (hObject=0x164) returned 1 [0056.327] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab")) returned 0x2020 [0056.327] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0056.328] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 1 [0057.784] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0057.784] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fc6c | out: lpNewFilePointer=0x0) returned 1 [0057.785] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fc2c | out: lpNewFilePointer=0x0) returned 1 [0057.785] ReadFile (in: hFile=0x164, lpBuffer=0x3bb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x316fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bb0058*, lpNumberOfBytesRead=0x316fc38*=0x40000, lpOverlapped=0x0) returned 1 [0057.919] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x3a674f, lpNewFilePointer=0x0, dwMoveMethod=0x316fc2c | out: lpNewFilePointer=0x0) returned 1 [0057.919] ReadFile (in: hFile=0x164, lpBuffer=0x3bf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x316fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bf0058*, lpNumberOfBytesRead=0x316fc38*=0x40000, lpOverlapped=0x0) returned 1 [0057.982] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x316fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0057.982] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0xab35ed, lpNewFilePointer=0x0, dwMoveMethod=0x316fc2c | out: lpNewFilePointer=0x0) returned 1 [0057.982] ReadFile (in: hFile=0x164, lpBuffer=0x3c30058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x316fc38, lpOverlapped=0x0 | out: lpBuffer=0x3c30058*, lpNumberOfBytesRead=0x316fc38*=0x40000, lpOverlapped=0x0) returned 1 [0058.140] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.140] WriteFile (in: hFile=0x164, lpBuffer=0x3bb0020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x316fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3bb0020*, lpNumberOfBytesWritten=0x316fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0058.355] SetEndOfFile (hFile=0x164) returned 1 [0058.355] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x40b20a0 [0058.388] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fc7c | out: lpNewFilePointer=0x0) returned 1 [0058.388] WriteFile (in: hFile=0x164, lpBuffer=0x40b20a0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x316fc88, lpOverlapped=0x0 | out: lpBuffer=0x40b20a0*, lpNumberOfBytesWritten=0x316fc88*=0x40000, lpOverlapped=0x0) returned 1 [0058.389] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x3a674f, lpNewFilePointer=0x0, dwMoveMethod=0x316fc7c | out: lpNewFilePointer=0x0) returned 1 [0058.389] WriteFile (in: hFile=0x164, lpBuffer=0x40b20a0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x316fc88, lpOverlapped=0x0 | out: lpBuffer=0x40b20a0*, lpNumberOfBytesWritten=0x316fc88*=0x40000, lpOverlapped=0x0) returned 1 [0058.392] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0xab35ed, lpNewFilePointer=0x0, dwMoveMethod=0x316fc7c | out: lpNewFilePointer=0x0) returned 1 [0058.392] WriteFile (in: hFile=0x164, lpBuffer=0x40b20a0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x316fc88, lpOverlapped=0x0 | out: lpBuffer=0x40b20a0*, lpNumberOfBytesWritten=0x316fc88*=0x40000, lpOverlapped=0x0) returned 1 [0058.395] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x40b20a0 | out: hHeap=0x5f0000) returned 1 [0058.395] CloseHandle (hObject=0x164) returned 1 [0060.819] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0060.819] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0060.819] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0060.819] lstrlenW (lpString=".doc") returned 4 [0060.819] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0060.819] lstrlenW (lpString=".docx") returned 5 [0060.819] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0060.819] lstrlenW (lpString=".pdf") returned 4 [0060.819] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0060.820] lstrlenW (lpString=".xls") returned 4 [0060.820] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0060.820] lstrlenW (lpString=".xlsx") returned 5 [0060.820] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0060.820] lstrlenW (lpString=".ppt") returned 4 [0060.820] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0060.820] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0060.820] lstrlenW (lpString=".zip") returned 4 [0060.820] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0060.820] lstrlenW (lpString=".rar") returned 4 [0060.820] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0060.820] lstrlenW (lpString=".bz2") returned 4 [0060.820] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0060.820] lstrlenW (lpString=".7z") returned 3 [0060.820] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0060.820] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0060.820] lstrlenW (lpString=".dbf") returned 4 [0060.820] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0060.820] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0060.820] lstrlenW (lpString=".1cd") returned 4 [0060.820] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0060.820] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0060.820] lstrlenW (lpString=".jpg") returned 4 [0060.820] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0060.821] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0060.821] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0060.821] lstrlenW (lpString=".doc") returned 4 [0060.821] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0060.821] lstrlenW (lpString=".docx") returned 5 [0060.821] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0060.821] lstrlenW (lpString=".pdf") returned 4 [0060.821] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0060.821] lstrlenW (lpString=".xls") returned 4 [0060.821] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0060.821] lstrlenW (lpString=".xlsx") returned 5 [0060.821] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0060.821] lstrlenW (lpString=".ppt") returned 4 [0060.821] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0060.821] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0060.821] lstrlenW (lpString=".zip") returned 4 [0060.821] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0060.821] lstrlenW (lpString=".rar") returned 4 [0060.821] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0060.821] lstrlenW (lpString=".bz2") returned 4 [0060.821] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0060.821] lstrlenW (lpString=".7z") returned 3 [0060.822] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0060.822] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0060.822] lstrlenW (lpString=".dbf") returned 4 [0060.822] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0060.822] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0060.822] lstrlenW (lpString=".1cd") returned 4 [0060.822] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0060.822] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0060.822] lstrlenW (lpString=".jpg") returned 4 [0060.822] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0060.880] lstrcmpiW (lpString1=".msi", lpString2=".bmd") returned 1 [0060.880] lstrlenW (lpString="Proofing.msi") returned 12 [0060.880] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0060.881] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x316ff1c | out: lpFileSize=0x316ff1c*=868864) returned 1 [0060.881] CloseHandle (hObject=0x1b8) returned 1 [0060.881] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi")) returned 0x2020 [0060.881] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0060.881] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0060.881] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.881] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.882] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0060.937] GetLastError () returned 0x0 [0060.937] ReadFile (in: hFile=0x1b8, lpBuffer=0x3bb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x316fed4, lpOverlapped=0x0 | out: lpBuffer=0x3bb0020*, lpNumberOfBytesRead=0x316fed4*=0xd4200, lpOverlapped=0x0) returned 1 [0060.961] WriteFile (in: hFile=0x19c, lpBuffer=0x3bb0020*, nNumberOfBytesToWrite=0xd4210, lpNumberOfBytesWritten=0x316fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bb0020*, lpNumberOfBytesWritten=0x316fc9c*=0xd4210, lpOverlapped=0x0) returned 1 [0061.109] ReadFile (in: hFile=0x1b8, lpBuffer=0x3bb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x316fed4, lpOverlapped=0x0 | out: lpBuffer=0x3bb0020*, lpNumberOfBytesRead=0x316fed4*=0x0, lpOverlapped=0x0) returned 1 [0061.109] WriteFile (in: hFile=0x19c, lpBuffer=0x3bb0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x316fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bb0020*, lpNumberOfBytesWritten=0x316fc9c*=0xec, lpOverlapped=0x0) returned 1 [0061.109] SetEndOfFile (hFile=0x19c) returned 1 [0061.110] CloseHandle (hObject=0x19c) returned 1 [0061.118] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fec8 | out: lpNewFilePointer=0x0) returned 1 [0061.118] SetEndOfFile (hFile=0x1b8) returned 1 [0061.126] CloseHandle (hObject=0x1b8) returned 1 [0061.126] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0061.126] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi")) returned 1 [0061.127] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0061.127] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0061.127] lstrlenW (lpString=".doc") returned 4 [0061.127] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0061.127] lstrlenW (lpString=".docx") returned 5 [0061.127] lstrcmpiW (lpString1=".docx", lpString2="g.msi") returned -1 [0061.127] lstrlenW (lpString=".pdf") returned 4 [0061.127] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0061.127] lstrlenW (lpString=".xls") returned 4 [0061.127] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0061.127] lstrlenW (lpString=".xlsx") returned 5 [0061.127] lstrcmpiW (lpString1=".xlsx", lpString2="g.msi") returned -1 [0061.127] lstrlenW (lpString=".ppt") returned 4 [0061.127] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0061.127] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0061.127] lstrlenW (lpString=".zip") returned 4 [0061.127] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0061.127] lstrlenW (lpString=".rar") returned 4 [0061.127] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0061.127] lstrlenW (lpString=".bz2") returned 4 [0061.127] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0061.127] lstrlenW (lpString=".7z") returned 3 [0061.127] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0061.127] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0061.127] lstrlenW (lpString=".dbf") returned 4 [0061.127] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0061.127] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0061.127] lstrlenW (lpString=".1cd") returned 4 [0061.128] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0061.128] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0061.128] lstrlenW (lpString=".jpg") returned 4 [0061.128] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0061.128] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0061.128] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0061.128] lstrlenW (lpString=".doc") returned 4 [0061.128] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0061.128] lstrlenW (lpString=".docx") returned 5 [0061.128] lstrcmpiW (lpString1=".docx", lpString2="g.msi") returned -1 [0061.128] lstrlenW (lpString=".pdf") returned 4 [0061.128] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0061.128] lstrlenW (lpString=".xls") returned 4 [0061.128] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0061.128] lstrlenW (lpString=".xlsx") returned 5 [0061.128] lstrcmpiW (lpString1=".xlsx", lpString2="g.msi") returned -1 [0061.128] lstrlenW (lpString=".ppt") returned 4 [0061.128] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0061.128] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0061.128] lstrlenW (lpString=".zip") returned 4 [0061.128] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0061.128] lstrlenW (lpString=".rar") returned 4 [0061.128] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0061.128] lstrlenW (lpString=".bz2") returned 4 [0061.128] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0061.128] lstrlenW (lpString=".7z") returned 3 [0061.128] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0061.128] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0061.128] lstrlenW (lpString=".dbf") returned 4 [0061.128] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0061.128] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0061.129] lstrlenW (lpString=".1cd") returned 4 [0061.129] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0061.129] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0061.129] lstrlenW (lpString=".jpg") returned 4 [0061.129] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0061.129] lstrcmpiW (lpString1=".msi", lpString2=".bmd") returned 1 [0061.129] lstrlenW (lpString="Office32MUI.msi") returned 15 [0061.129] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0061.129] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x316ff1c | out: lpFileSize=0x316ff1c*=873984) returned 1 [0061.129] CloseHandle (hObject=0x1b8) returned 1 [0061.130] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi")) returned 0x2020 [0061.130] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0061.130] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0061.130] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fec8 | out: lpNewFilePointer=0x0) returned 1 [0061.130] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fec8 | out: lpNewFilePointer=0x0) returned 1 [0061.130] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0061.312] GetLastError () returned 0x0 [0061.312] ReadFile (in: hFile=0x1b8, lpBuffer=0x3bb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x316fed4, lpOverlapped=0x0 | out: lpBuffer=0x3bb0020*, lpNumberOfBytesRead=0x316fed4*=0xd5600, lpOverlapped=0x0) returned 1 [0061.343] WriteFile (in: hFile=0x1d4, lpBuffer=0x3bb0020*, nNumberOfBytesToWrite=0xd5610, lpNumberOfBytesWritten=0x316fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bb0020*, lpNumberOfBytesWritten=0x316fc9c*=0xd5610, lpOverlapped=0x0) returned 1 [0062.054] ReadFile (in: hFile=0x1b8, lpBuffer=0x3bb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x316fed4, lpOverlapped=0x0 | out: lpBuffer=0x3bb0020*, lpNumberOfBytesRead=0x316fed4*=0x0, lpOverlapped=0x0) returned 1 [0062.054] WriteFile (in: hFile=0x1d4, lpBuffer=0x3bb0020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x316fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bb0020*, lpNumberOfBytesWritten=0x316fc9c*=0xf2, lpOverlapped=0x0) returned 1 [0062.055] SetEndOfFile (hFile=0x1d4) returned 1 [0062.055] CloseHandle (hObject=0x1d4) returned 1 [0062.065] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fec8 | out: lpNewFilePointer=0x0) returned 1 [0062.065] SetEndOfFile (hFile=0x1b8) returned 1 [0062.075] CloseHandle (hObject=0x1b8) returned 1 [0062.075] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0062.075] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi")) returned 1 [0062.076] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0062.076] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0062.076] lstrlenW (lpString=".doc") returned 4 [0062.076] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0062.076] lstrlenW (lpString=".docx") returned 5 [0062.076] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0062.076] lstrlenW (lpString=".pdf") returned 4 [0062.076] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0062.076] lstrlenW (lpString=".xls") returned 4 [0062.076] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0062.076] lstrlenW (lpString=".xlsx") returned 5 [0062.076] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0062.076] lstrlenW (lpString=".ppt") returned 4 [0062.076] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0062.076] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0062.076] lstrlenW (lpString=".zip") returned 4 [0062.076] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0062.076] lstrlenW (lpString=".rar") returned 4 [0062.076] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0062.076] lstrlenW (lpString=".bz2") returned 4 [0062.076] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0062.076] lstrlenW (lpString=".7z") returned 3 [0062.076] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0062.076] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0062.076] lstrlenW (lpString=".dbf") returned 4 [0062.076] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0062.077] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0062.077] lstrlenW (lpString=".1cd") returned 4 [0062.077] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0062.077] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0062.077] lstrlenW (lpString=".jpg") returned 4 [0062.077] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0062.077] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0062.077] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0062.077] lstrlenW (lpString=".doc") returned 4 [0062.077] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0062.077] lstrlenW (lpString=".docx") returned 5 [0062.077] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0062.077] lstrlenW (lpString=".pdf") returned 4 [0062.077] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0062.077] lstrlenW (lpString=".xls") returned 4 [0062.077] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0062.077] lstrlenW (lpString=".xlsx") returned 5 [0062.077] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0062.077] lstrlenW (lpString=".ppt") returned 4 [0062.077] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0062.077] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0062.077] lstrlenW (lpString=".zip") returned 4 [0062.077] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0062.077] lstrlenW (lpString=".rar") returned 4 [0062.077] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0062.077] lstrlenW (lpString=".bz2") returned 4 [0062.078] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0062.078] lstrlenW (lpString=".7z") returned 3 [0062.078] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0062.078] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0062.078] lstrlenW (lpString=".dbf") returned 4 [0062.078] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0062.078] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0062.078] lstrlenW (lpString=".1cd") returned 4 [0062.078] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0062.078] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0062.078] lstrlenW (lpString=".jpg") returned 4 [0062.078] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0062.078] lstrcmpiW (lpString1=".cab", lpString2=".bmd") returned 1 [0062.078] lstrlenW (lpString="InfLR.cab") returned 9 [0062.078] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0062.079] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x316ff1c | out: lpFileSize=0x316ff1c*=18874884) returned 1 [0062.079] CloseHandle (hObject=0x1b8) returned 1 [0062.079] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab")) returned 0x2020 [0062.079] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0062.079] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 1 [0062.080] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0062.080] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fc6c | out: lpNewFilePointer=0x0) returned 1 [0062.080] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fc2c | out: lpNewFilePointer=0x0) returned 1 [0062.080] ReadFile (in: hFile=0x1b8, lpBuffer=0x3bb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x316fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bb0058*, lpNumberOfBytesRead=0x316fc38*=0x40000, lpOverlapped=0x0) returned 1 [0062.310] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x6000ac, lpNewFilePointer=0x0, dwMoveMethod=0x316fc2c | out: lpNewFilePointer=0x0) returned 1 [0062.310] ReadFile (in: hFile=0x1b8, lpBuffer=0x3bf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x316fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bf0058*, lpNumberOfBytesRead=0x316fc38*=0x40000, lpOverlapped=0x0) returned 1 [0062.374] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x316fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0062.374] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x11c0204, lpNewFilePointer=0x0, dwMoveMethod=0x316fc2c | out: lpNewFilePointer=0x0) returned 1 [0062.374] ReadFile (in: hFile=0x1b8, lpBuffer=0x3c30058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x316fc38, lpOverlapped=0x0 | out: lpBuffer=0x3c30058*, lpNumberOfBytesRead=0x316fc38*=0x40000, lpOverlapped=0x0) returned 1 [0062.692] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fec8 | out: lpNewFilePointer=0x0) returned 1 [0062.692] WriteFile (in: hFile=0x1b8, lpBuffer=0x3bb0020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x316fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3bb0020*, lpNumberOfBytesWritten=0x316fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0062.705] SetEndOfFile (hFile=0x1b8) returned 1 [0062.705] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x4092090 [0062.709] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fc7c | out: lpNewFilePointer=0x0) returned 1 [0062.709] WriteFile (in: hFile=0x1b8, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x316fc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x316fc88*=0x40000, lpOverlapped=0x0) returned 1 [0062.711] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x6000ac, lpNewFilePointer=0x0, dwMoveMethod=0x316fc7c | out: lpNewFilePointer=0x0) returned 1 [0062.711] WriteFile (in: hFile=0x1b8, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x316fc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x316fc88*=0x40000, lpOverlapped=0x0) returned 1 [0062.716] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x11c0204, lpNewFilePointer=0x0, dwMoveMethod=0x316fc7c | out: lpNewFilePointer=0x0) returned 1 [0062.716] WriteFile (in: hFile=0x1b8, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x316fc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x316fc88*=0x40000, lpOverlapped=0x0) returned 1 [0062.720] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x4092090 | out: hHeap=0x5f0000) returned 1 [0062.720] CloseHandle (hObject=0x1b8) returned 1 [0063.984] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0063.984] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0063.984] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0063.984] lstrlenW (lpString=".doc") returned 4 [0063.984] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0063.984] lstrlenW (lpString=".docx") returned 5 [0063.985] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0063.985] lstrlenW (lpString=".pdf") returned 4 [0063.985] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0063.985] lstrlenW (lpString=".xls") returned 4 [0063.985] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0063.985] lstrlenW (lpString=".xlsx") returned 5 [0063.985] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0063.985] lstrlenW (lpString=".ppt") returned 4 [0063.985] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0063.985] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0063.985] lstrlenW (lpString=".zip") returned 4 [0063.985] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0063.985] lstrlenW (lpString=".rar") returned 4 [0063.985] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0063.985] lstrlenW (lpString=".bz2") returned 4 [0063.985] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0063.985] lstrlenW (lpString=".7z") returned 3 [0063.985] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0063.985] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0063.985] lstrlenW (lpString=".dbf") returned 4 [0063.985] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0063.985] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0063.985] lstrlenW (lpString=".1cd") returned 4 [0063.985] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0063.985] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0063.985] lstrlenW (lpString=".jpg") returned 4 [0063.986] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0063.986] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0063.986] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0063.986] lstrlenW (lpString=".doc") returned 4 [0063.986] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0063.986] lstrlenW (lpString=".docx") returned 5 [0063.986] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0063.986] lstrlenW (lpString=".pdf") returned 4 [0063.986] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0063.986] lstrlenW (lpString=".xls") returned 4 [0063.986] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0063.986] lstrlenW (lpString=".xlsx") returned 5 [0063.986] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0063.986] lstrlenW (lpString=".ppt") returned 4 [0063.986] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0063.986] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0063.986] lstrlenW (lpString=".zip") returned 4 [0063.986] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0063.986] lstrlenW (lpString=".rar") returned 4 [0063.986] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0063.986] lstrlenW (lpString=".bz2") returned 4 [0063.986] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0063.986] lstrlenW (lpString=".7z") returned 3 [0063.986] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0063.986] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0063.986] lstrlenW (lpString=".dbf") returned 4 [0063.986] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0063.987] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0063.987] lstrlenW (lpString=".1cd") returned 4 [0063.987] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0063.987] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0063.987] lstrlenW (lpString=".jpg") returned 4 [0063.987] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0063.987] lstrcmpiW (lpString1=".cab", lpString2=".bmd") returned 1 [0063.987] lstrlenW (lpString="OnoteLR.cab") returned 11 [0063.987] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0064.327] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x316ff1c | out: lpFileSize=0x316ff1c*=17456632) returned 1 [0064.327] CloseHandle (hObject=0x1b8) returned 1 [0064.327] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab")) returned 0x2020 [0064.327] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0064.327] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 1 [0064.328] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0064.328] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fc6c | out: lpNewFilePointer=0x0) returned 1 [0064.328] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fc2c | out: lpNewFilePointer=0x0) returned 1 [0064.328] ReadFile (in: hFile=0x1b8, lpBuffer=0x3bb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x316fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bb0058*, lpNumberOfBytesRead=0x316fc38*=0x40000, lpOverlapped=0x0) returned 1 [0064.539] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x58c9fd, lpNewFilePointer=0x0, dwMoveMethod=0x316fc2c | out: lpNewFilePointer=0x0) returned 1 [0064.539] ReadFile (in: hFile=0x1b8, lpBuffer=0x3bf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x316fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bf0058*, lpNumberOfBytesRead=0x316fc38*=0x40000, lpOverlapped=0x0) returned 1 [0064.617] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x316fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0064.617] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x1065df8, lpNewFilePointer=0x0, dwMoveMethod=0x316fc2c | out: lpNewFilePointer=0x0) returned 1 [0064.617] ReadFile (in: hFile=0x1b8, lpBuffer=0x3c30058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x316fc38, lpOverlapped=0x0 | out: lpBuffer=0x3c30058*, lpNumberOfBytesRead=0x316fc38*=0x40000, lpOverlapped=0x0) returned 1 [0064.800] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fec8 | out: lpNewFilePointer=0x0) returned 1 [0064.800] WriteFile (in: hFile=0x1b8, lpBuffer=0x3bb0020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x316fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3bb0020*, lpNumberOfBytesWritten=0x316fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0064.996] SetEndOfFile (hFile=0x1b8) returned 1 [0065.220] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x4092090 [0065.220] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fc7c | out: lpNewFilePointer=0x0) returned 1 [0065.220] WriteFile (in: hFile=0x1b8, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x316fc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x316fc88*=0x40000, lpOverlapped=0x0) returned 1 [0065.221] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x58c9fd, lpNewFilePointer=0x0, dwMoveMethod=0x316fc7c | out: lpNewFilePointer=0x0) returned 1 [0065.221] WriteFile (in: hFile=0x1b8, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x316fc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x316fc88*=0x40000, lpOverlapped=0x0) returned 1 [0065.222] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x1065df8, lpNewFilePointer=0x0, dwMoveMethod=0x316fc7c | out: lpNewFilePointer=0x0) returned 1 [0065.222] WriteFile (in: hFile=0x1b8, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x316fc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x316fc88*=0x40000, lpOverlapped=0x0) returned 1 [0065.224] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x4092090 | out: hHeap=0x5f0000) returned 1 [0065.225] CloseHandle (hObject=0x1b8) returned 1 [0065.225] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0065.225] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0065.225] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0065.225] lstrlenW (lpString=".doc") returned 4 [0065.225] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0065.225] lstrlenW (lpString=".docx") returned 5 [0065.225] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0065.225] lstrlenW (lpString=".pdf") returned 4 [0065.225] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0065.225] lstrlenW (lpString=".xls") returned 4 [0065.225] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0065.225] lstrlenW (lpString=".xlsx") returned 5 [0065.225] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0065.225] lstrlenW (lpString=".ppt") returned 4 [0065.225] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0065.225] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0065.225] lstrlenW (lpString=".zip") returned 4 [0065.225] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0065.226] lstrlenW (lpString=".rar") returned 4 [0065.226] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0065.226] lstrlenW (lpString=".bz2") returned 4 [0065.226] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0065.226] lstrlenW (lpString=".7z") returned 3 [0065.226] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0065.226] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0065.226] lstrlenW (lpString=".dbf") returned 4 [0065.226] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0065.226] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0065.226] lstrlenW (lpString=".1cd") returned 4 [0065.226] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0065.226] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0065.226] lstrlenW (lpString=".jpg") returned 4 [0065.226] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0065.226] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0065.226] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0065.226] lstrlenW (lpString=".doc") returned 4 [0065.226] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0065.226] lstrlenW (lpString=".docx") returned 5 [0065.226] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0065.226] lstrlenW (lpString=".pdf") returned 4 [0065.226] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0065.226] lstrlenW (lpString=".xls") returned 4 [0065.226] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0065.226] lstrlenW (lpString=".xlsx") returned 5 [0065.226] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0065.226] lstrlenW (lpString=".ppt") returned 4 [0065.226] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0065.226] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0065.227] lstrlenW (lpString=".zip") returned 4 [0065.227] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0065.227] lstrlenW (lpString=".rar") returned 4 [0065.227] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0065.227] lstrlenW (lpString=".bz2") returned 4 [0065.227] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0065.227] lstrlenW (lpString=".7z") returned 3 [0065.227] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0065.227] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0065.227] lstrlenW (lpString=".dbf") returned 4 [0065.227] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0065.227] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0065.227] lstrlenW (lpString=".1cd") returned 4 [0065.227] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0065.227] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0065.227] lstrlenW (lpString=".jpg") returned 4 [0065.227] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0065.327] lstrcmpiW (lpString1=".cab", lpString2=".bmd") returned 1 [0065.327] lstrlenW (lpString="ProjLR.cab") returned 10 [0065.327] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0065.333] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x316ff1c | out: lpFileSize=0x316ff1c*=8265165) returned 1 [0065.333] CloseHandle (hObject=0x188) returned 1 [0065.333] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab")) returned 0x2020 [0065.333] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0065.333] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 1 [0065.334] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0065.334] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fc6c | out: lpNewFilePointer=0x0) returned 1 [0065.334] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fc2c | out: lpNewFilePointer=0x0) returned 1 [0065.334] ReadFile (in: hFile=0x188, lpBuffer=0x3bb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x316fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bb0058*, lpNumberOfBytesRead=0x316fc38*=0x40000, lpOverlapped=0x0) returned 1 [0065.345] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x2a09ef, lpNewFilePointer=0x0, dwMoveMethod=0x316fc2c | out: lpNewFilePointer=0x0) returned 1 [0065.345] ReadFile (in: hFile=0x188, lpBuffer=0x3bf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x316fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bf0058*, lpNumberOfBytesRead=0x316fc38*=0x40000, lpOverlapped=0x0) returned 1 [0065.357] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x316fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0065.357] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x7a1dcd, lpNewFilePointer=0x0, dwMoveMethod=0x316fc2c | out: lpNewFilePointer=0x0) returned 1 [0065.357] ReadFile (in: hFile=0x188, lpBuffer=0x3c30058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x316fc38, lpOverlapped=0x0 | out: lpBuffer=0x3c30058*, lpNumberOfBytesRead=0x316fc38*=0x40000, lpOverlapped=0x0) returned 1 [0065.407] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fec8 | out: lpNewFilePointer=0x0) returned 1 [0065.407] WriteFile (in: hFile=0x188, lpBuffer=0x3bb0020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x316fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3bb0020*, lpNumberOfBytesWritten=0x316fcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0066.646] SetEndOfFile (hFile=0x188) returned 1 [0066.646] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x4092090 [0066.646] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fc7c | out: lpNewFilePointer=0x0) returned 1 [0066.646] WriteFile (in: hFile=0x188, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x316fc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x316fc88*=0x40000, lpOverlapped=0x0) returned 1 [0066.648] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x2a09ef, lpNewFilePointer=0x0, dwMoveMethod=0x316fc7c | out: lpNewFilePointer=0x0) returned 1 [0066.648] WriteFile (in: hFile=0x188, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x316fc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x316fc88*=0x40000, lpOverlapped=0x0) returned 1 [0066.651] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x7a1dcd, lpNewFilePointer=0x0, dwMoveMethod=0x316fc7c | out: lpNewFilePointer=0x0) returned 1 [0066.651] WriteFile (in: hFile=0x188, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x316fc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x316fc88*=0x40000, lpOverlapped=0x0) returned 1 [0066.655] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x4092090 | out: hHeap=0x5f0000) returned 1 [0066.655] CloseHandle (hObject=0x188) returned 1 [0066.655] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0066.655] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0066.655] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0066.655] lstrlenW (lpString=".doc") returned 4 [0066.655] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0066.655] lstrlenW (lpString=".docx") returned 5 [0066.655] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0066.655] lstrlenW (lpString=".pdf") returned 4 [0066.656] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0066.656] lstrlenW (lpString=".xls") returned 4 [0066.656] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0066.656] lstrlenW (lpString=".xlsx") returned 5 [0066.656] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0066.656] lstrlenW (lpString=".ppt") returned 4 [0066.656] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0066.656] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0066.656] lstrlenW (lpString=".zip") returned 4 [0066.656] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0066.656] lstrlenW (lpString=".rar") returned 4 [0066.656] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0066.656] lstrlenW (lpString=".bz2") returned 4 [0066.656] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0066.656] lstrlenW (lpString=".7z") returned 3 [0066.656] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0066.656] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0066.656] lstrlenW (lpString=".dbf") returned 4 [0066.656] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0066.656] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0066.656] lstrlenW (lpString=".1cd") returned 4 [0066.656] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0066.656] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0066.656] lstrlenW (lpString=".jpg") returned 4 [0066.656] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0066.657] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0066.657] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0066.657] lstrlenW (lpString=".doc") returned 4 [0066.657] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0066.657] lstrlenW (lpString=".docx") returned 5 [0066.657] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0066.657] lstrlenW (lpString=".pdf") returned 4 [0066.657] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0066.657] lstrlenW (lpString=".xls") returned 4 [0066.657] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0066.657] lstrlenW (lpString=".xlsx") returned 5 [0066.657] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0066.657] lstrlenW (lpString=".ppt") returned 4 [0066.657] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0066.657] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0066.657] lstrlenW (lpString=".zip") returned 4 [0066.657] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0066.657] lstrlenW (lpString=".rar") returned 4 [0066.657] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0066.658] lstrlenW (lpString=".bz2") returned 4 [0066.658] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0066.658] lstrlenW (lpString=".7z") returned 3 [0066.658] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0066.658] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0066.658] lstrlenW (lpString=".dbf") returned 4 [0066.658] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0066.658] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0066.658] lstrlenW (lpString=".1cd") returned 4 [0066.658] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0066.658] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0066.658] lstrlenW (lpString=".jpg") returned 4 [0066.658] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0066.659] lstrcmpiW (lpString1=".EXE", lpString2=".bmd") returned 1 [0066.659] lstrlenW (lpString="DW20.EXE") returned 8 [0066.659] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0066.782] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x316ff1c | out: lpFileSize=0x316ff1c*=838536) returned 1 [0066.782] CloseHandle (hObject=0x190) returned 1 [0066.782] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe")) returned 0x2020 [0066.782] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0066.782] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0066.782] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fec8 | out: lpNewFilePointer=0x0) returned 1 [0066.782] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fec8 | out: lpNewFilePointer=0x0) returned 1 [0066.782] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0066.783] GetLastError () returned 0x0 [0066.783] ReadFile (in: hFile=0x190, lpBuffer=0x3bb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x316fed4, lpOverlapped=0x0 | out: lpBuffer=0x3bb0020*, lpNumberOfBytesRead=0x316fed4*=0xccb88, lpOverlapped=0x0) returned 1 [0066.804] WriteFile (in: hFile=0x188, lpBuffer=0x3bb0020*, nNumberOfBytesToWrite=0xccb90, lpNumberOfBytesWritten=0x316fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bb0020*, lpNumberOfBytesWritten=0x316fc9c*=0xccb90, lpOverlapped=0x0) returned 1 [0066.975] ReadFile (in: hFile=0x190, lpBuffer=0x3bb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x316fed4, lpOverlapped=0x0 | out: lpBuffer=0x3bb0020*, lpNumberOfBytesRead=0x316fed4*=0x0, lpOverlapped=0x0) returned 1 [0066.975] WriteFile (in: hFile=0x188, lpBuffer=0x3bb0020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x316fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bb0020*, lpNumberOfBytesWritten=0x316fc9c*=0xe4, lpOverlapped=0x0) returned 1 [0066.975] SetEndOfFile (hFile=0x188) returned 1 [0067.219] CloseHandle (hObject=0x188) returned 1 [0067.219] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.219] SetEndOfFile (hFile=0x190) returned 1 [0067.237] CloseHandle (hObject=0x190) returned 1 [0067.238] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0067.262] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe")) returned 1 [0067.262] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0067.262] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0067.262] lstrlenW (lpString=".doc") returned 4 [0067.262] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0067.262] lstrlenW (lpString=".docx") returned 5 [0067.262] lstrcmpiW (lpString1=".docx", lpString2="0.EXE") returned -1 [0067.262] lstrlenW (lpString=".pdf") returned 4 [0067.262] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0067.262] lstrlenW (lpString=".xls") returned 4 [0067.262] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0067.262] lstrlenW (lpString=".xlsx") returned 5 [0067.263] lstrcmpiW (lpString1=".xlsx", lpString2="0.EXE") returned -1 [0067.263] lstrlenW (lpString=".ppt") returned 4 [0067.263] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0067.263] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0067.263] lstrlenW (lpString=".zip") returned 4 [0067.263] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0067.263] lstrlenW (lpString=".rar") returned 4 [0067.263] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0067.263] lstrlenW (lpString=".bz2") returned 4 [0067.263] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0067.263] lstrlenW (lpString=".7z") returned 3 [0067.263] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0067.263] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0067.263] lstrlenW (lpString=".dbf") returned 4 [0067.263] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0067.263] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0067.263] lstrlenW (lpString=".1cd") returned 4 [0067.263] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0067.263] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0067.263] lstrlenW (lpString=".jpg") returned 4 [0067.263] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0067.263] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0067.263] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0067.263] lstrlenW (lpString=".doc") returned 4 [0067.263] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0067.263] lstrlenW (lpString=".docx") returned 5 [0067.264] lstrcmpiW (lpString1=".docx", lpString2="0.EXE") returned -1 [0067.264] lstrlenW (lpString=".pdf") returned 4 [0067.264] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0067.264] lstrlenW (lpString=".xls") returned 4 [0067.264] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0067.264] lstrlenW (lpString=".xlsx") returned 5 [0067.264] lstrcmpiW (lpString1=".xlsx", lpString2="0.EXE") returned -1 [0067.264] lstrlenW (lpString=".ppt") returned 4 [0067.264] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0067.264] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0067.264] lstrlenW (lpString=".zip") returned 4 [0067.264] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0067.264] lstrlenW (lpString=".rar") returned 4 [0067.264] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0067.264] lstrlenW (lpString=".bz2") returned 4 [0067.264] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0067.264] lstrlenW (lpString=".7z") returned 3 [0067.264] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0067.264] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0067.264] lstrlenW (lpString=".dbf") returned 4 [0067.264] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0067.264] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0067.264] lstrlenW (lpString=".1cd") returned 4 [0067.264] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0067.264] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0067.264] lstrlenW (lpString=".jpg") returned 4 [0067.264] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0067.265] lstrcmpiW (lpString1=".cab", lpString2=".bmd") returned 1 [0067.265] lstrlenW (lpString="OfficeLR.cab") returned 12 [0067.265] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0067.265] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x316ff1c | out: lpFileSize=0x316ff1c*=14127746) returned 1 [0067.265] CloseHandle (hObject=0x190) returned 1 [0067.265] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab")) returned 0x2020 [0067.265] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0067.265] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 1 [0067.266] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0067.266] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fc6c | out: lpNewFilePointer=0x0) returned 1 [0067.266] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fc2c | out: lpNewFilePointer=0x0) returned 1 [0067.266] ReadFile (in: hFile=0x190, lpBuffer=0x3bb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x316fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bb0058*, lpNumberOfBytesRead=0x316fc38*=0x40000, lpOverlapped=0x0) returned 1 [0067.271] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x47db80, lpNewFilePointer=0x0, dwMoveMethod=0x316fc2c | out: lpNewFilePointer=0x0) returned 1 [0067.271] ReadFile (in: hFile=0x190, lpBuffer=0x3bf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x316fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bf0058*, lpNumberOfBytesRead=0x316fc38*=0x40000, lpOverlapped=0x0) returned 1 [0067.278] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x316fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0067.278] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0xd39282, lpNewFilePointer=0x0, dwMoveMethod=0x316fc2c | out: lpNewFilePointer=0x0) returned 1 [0067.278] ReadFile (in: hFile=0x190, lpBuffer=0x3c30058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x316fc38, lpOverlapped=0x0 | out: lpBuffer=0x3c30058*, lpNumberOfBytesRead=0x316fc38*=0x40000, lpOverlapped=0x0) returned 1 [0067.456] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.457] WriteFile (in: hFile=0x190, lpBuffer=0x3bb0020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x316fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3bb0020*, lpNumberOfBytesWritten=0x316fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0067.481] SetEndOfFile (hFile=0x190) returned 1 [0067.481] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x4092090 [0067.484] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fc7c | out: lpNewFilePointer=0x0) returned 1 [0067.484] WriteFile (in: hFile=0x190, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x316fc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x316fc88*=0x40000, lpOverlapped=0x0) returned 1 [0067.486] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x47db80, lpNewFilePointer=0x0, dwMoveMethod=0x316fc7c | out: lpNewFilePointer=0x0) returned 1 [0067.486] WriteFile (in: hFile=0x190, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x316fc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x316fc88*=0x40000, lpOverlapped=0x0) returned 1 [0067.487] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0xd39282, lpNewFilePointer=0x0, dwMoveMethod=0x316fc7c | out: lpNewFilePointer=0x0) returned 1 [0067.487] WriteFile (in: hFile=0x190, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x316fc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x316fc88*=0x40000, lpOverlapped=0x0) returned 1 [0067.490] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x4092090 | out: hHeap=0x5f0000) returned 1 [0067.490] CloseHandle (hObject=0x190) returned 1 [0067.490] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0067.490] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0067.490] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0067.490] lstrlenW (lpString=".doc") returned 4 [0067.491] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0067.491] lstrlenW (lpString=".docx") returned 5 [0067.491] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0067.491] lstrlenW (lpString=".pdf") returned 4 [0067.491] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0067.491] lstrlenW (lpString=".xls") returned 4 [0067.491] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0067.491] lstrlenW (lpString=".xlsx") returned 5 [0067.491] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0067.491] lstrlenW (lpString=".ppt") returned 4 [0067.491] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0067.491] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0067.491] lstrlenW (lpString=".zip") returned 4 [0067.491] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0067.491] lstrlenW (lpString=".rar") returned 4 [0067.491] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0067.491] lstrlenW (lpString=".bz2") returned 4 [0067.491] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0067.491] lstrlenW (lpString=".7z") returned 3 [0067.491] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0067.491] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0067.491] lstrlenW (lpString=".dbf") returned 4 [0067.491] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0067.491] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0067.491] lstrlenW (lpString=".1cd") returned 4 [0067.491] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0067.491] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0067.491] lstrlenW (lpString=".jpg") returned 4 [0067.492] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0067.492] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0067.492] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0067.492] lstrlenW (lpString=".doc") returned 4 [0067.492] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0067.492] lstrlenW (lpString=".docx") returned 5 [0067.492] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0067.492] lstrlenW (lpString=".pdf") returned 4 [0067.492] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0067.492] lstrlenW (lpString=".xls") returned 4 [0067.492] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0067.492] lstrlenW (lpString=".xlsx") returned 5 [0067.492] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0067.492] lstrlenW (lpString=".ppt") returned 4 [0067.492] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0067.492] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0067.492] lstrlenW (lpString=".zip") returned 4 [0067.492] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0067.492] lstrlenW (lpString=".rar") returned 4 [0067.492] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0067.492] lstrlenW (lpString=".bz2") returned 4 [0067.492] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0067.492] lstrlenW (lpString=".7z") returned 3 [0067.492] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0067.492] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0067.492] lstrlenW (lpString=".dbf") returned 4 [0067.493] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0067.493] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0067.493] lstrlenW (lpString=".1cd") returned 4 [0067.493] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0067.493] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0067.493] lstrlenW (lpString=".jpg") returned 4 [0067.493] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0067.493] lstrcmpiW (lpString1=".MST", lpString2=".bmd") returned 1 [0067.493] lstrlenW (lpString="ShellUI.MST") returned 11 [0067.493] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0067.494] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x316ff1c | out: lpFileSize=0x316ff1c*=3584) returned 1 [0067.494] CloseHandle (hObject=0x190) returned 1 [0067.494] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst")) returned 0x2020 [0067.494] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0067.494] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0067.494] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.494] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.494] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0067.495] GetLastError () returned 0x0 [0067.495] ReadFile (in: hFile=0x190, lpBuffer=0x3bb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x316fed4, lpOverlapped=0x0 | out: lpBuffer=0x3bb0020*, lpNumberOfBytesRead=0x316fed4*=0xe00, lpOverlapped=0x0) returned 1 [0067.672] WriteFile (in: hFile=0x19c, lpBuffer=0x3bb0020*, nNumberOfBytesToWrite=0xe10, lpNumberOfBytesWritten=0x316fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bb0020*, lpNumberOfBytesWritten=0x316fc9c*=0xe10, lpOverlapped=0x0) returned 1 [0067.674] ReadFile (in: hFile=0x190, lpBuffer=0x3bb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x316fed4, lpOverlapped=0x0 | out: lpBuffer=0x3bb0020*, lpNumberOfBytesRead=0x316fed4*=0x0, lpOverlapped=0x0) returned 1 [0067.674] WriteFile (in: hFile=0x19c, lpBuffer=0x3bb0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x316fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bb0020*, lpNumberOfBytesWritten=0x316fc9c*=0xea, lpOverlapped=0x0) returned 1 [0067.674] SetEndOfFile (hFile=0x19c) returned 1 [0067.674] CloseHandle (hObject=0x19c) returned 1 [0067.674] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.674] SetEndOfFile (hFile=0x190) returned 1 [0067.676] CloseHandle (hObject=0x190) returned 1 [0067.676] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0067.676] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst")) returned 1 [0067.676] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0067.676] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0067.676] lstrlenW (lpString=".doc") returned 4 [0067.676] lstrcmpiW (lpString1=".doc", lpString2=".MST") returned -1 [0067.677] lstrlenW (lpString=".docx") returned 5 [0067.677] lstrcmpiW (lpString1=".docx", lpString2="I.MST") returned -1 [0067.677] lstrlenW (lpString=".pdf") returned 4 [0067.677] lstrcmpiW (lpString1=".pdf", lpString2=".MST") returned 1 [0067.677] lstrlenW (lpString=".xls") returned 4 [0067.677] lstrcmpiW (lpString1=".xls", lpString2=".MST") returned 1 [0067.677] lstrlenW (lpString=".xlsx") returned 5 [0067.677] lstrcmpiW (lpString1=".xlsx", lpString2="I.MST") returned -1 [0067.677] lstrlenW (lpString=".ppt") returned 4 [0067.677] lstrcmpiW (lpString1=".ppt", lpString2=".MST") returned 1 [0067.677] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0067.677] lstrlenW (lpString=".zip") returned 4 [0067.677] lstrcmpiW (lpString1=".zip", lpString2=".MST") returned 1 [0067.677] lstrlenW (lpString=".rar") returned 4 [0067.677] lstrcmpiW (lpString1=".rar", lpString2=".MST") returned 1 [0067.677] lstrlenW (lpString=".bz2") returned 4 [0067.677] lstrcmpiW (lpString1=".bz2", lpString2=".MST") returned -1 [0067.677] lstrlenW (lpString=".7z") returned 3 [0067.677] lstrcmpiW (lpString1=".7z", lpString2="MST") returned -1 [0067.677] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0067.677] lstrlenW (lpString=".dbf") returned 4 [0067.678] lstrcmpiW (lpString1=".dbf", lpString2=".MST") returned -1 [0067.678] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0067.678] lstrlenW (lpString=".1cd") returned 4 [0067.678] lstrcmpiW (lpString1=".1cd", lpString2=".MST") returned -1 [0067.678] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0067.678] lstrlenW (lpString=".jpg") returned 4 [0067.678] lstrcmpiW (lpString1=".jpg", lpString2=".MST") returned -1 [0067.678] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0067.678] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0067.678] lstrlenW (lpString=".doc") returned 4 [0067.678] lstrcmpiW (lpString1=".doc", lpString2=".MST") returned -1 [0067.678] lstrlenW (lpString=".docx") returned 5 [0067.678] lstrcmpiW (lpString1=".docx", lpString2="I.MST") returned -1 [0067.678] lstrlenW (lpString=".pdf") returned 4 [0067.678] lstrcmpiW (lpString1=".pdf", lpString2=".MST") returned 1 [0067.678] lstrlenW (lpString=".xls") returned 4 [0067.678] lstrcmpiW (lpString1=".xls", lpString2=".MST") returned 1 [0067.678] lstrlenW (lpString=".xlsx") returned 5 [0067.678] lstrcmpiW (lpString1=".xlsx", lpString2="I.MST") returned -1 [0067.678] lstrlenW (lpString=".ppt") returned 4 [0067.679] lstrcmpiW (lpString1=".ppt", lpString2=".MST") returned 1 [0067.679] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0067.679] lstrlenW (lpString=".zip") returned 4 [0067.679] lstrcmpiW (lpString1=".zip", lpString2=".MST") returned 1 [0067.679] lstrlenW (lpString=".rar") returned 4 [0067.679] lstrcmpiW (lpString1=".rar", lpString2=".MST") returned 1 [0067.679] lstrlenW (lpString=".bz2") returned 4 [0067.679] lstrcmpiW (lpString1=".bz2", lpString2=".MST") returned -1 [0067.679] lstrlenW (lpString=".7z") returned 3 [0067.679] lstrcmpiW (lpString1=".7z", lpString2="MST") returned -1 [0067.679] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0067.679] lstrlenW (lpString=".dbf") returned 4 [0067.679] lstrcmpiW (lpString1=".dbf", lpString2=".MST") returned -1 [0067.679] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0067.679] lstrlenW (lpString=".1cd") returned 4 [0067.679] lstrcmpiW (lpString1=".1cd", lpString2=".MST") returned -1 [0067.679] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0067.679] lstrlenW (lpString=".jpg") returned 4 [0067.679] lstrcmpiW (lpString1=".jpg", lpString2=".MST") returned -1 [0067.680] lstrcmpiW (lpString1=".cab", lpString2=".bmd") returned 1 [0067.680] lstrlenW (lpString="AccLR.cab") returned 9 [0067.680] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0067.839] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x316ff1c | out: lpFileSize=0x316ff1c*=28016276) returned 1 [0067.839] CloseHandle (hObject=0x19c) returned 1 [0067.839] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab")) returned 0x2020 [0067.839] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0067.839] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 1 [0067.840] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0067.840] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fc6c | out: lpNewFilePointer=0x0) returned 1 [0067.840] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fc2c | out: lpNewFilePointer=0x0) returned 1 [0067.840] ReadFile (in: hFile=0x19c, lpBuffer=0x3bb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x316fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bb0058*, lpNumberOfBytesRead=0x316fc38*=0x40000, lpOverlapped=0x0) returned 1 [0067.846] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x8e7f86, lpNewFilePointer=0x0, dwMoveMethod=0x316fc2c | out: lpNewFilePointer=0x0) returned 1 [0067.846] ReadFile (in: hFile=0x19c, lpBuffer=0x3bf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x316fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bf0058*, lpNumberOfBytesRead=0x316fc38*=0x40000, lpOverlapped=0x0) returned 1 [0067.855] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x316fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0067.855] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x1a77e94, lpNewFilePointer=0x0, dwMoveMethod=0x316fc2c | out: lpNewFilePointer=0x0) returned 1 [0067.855] ReadFile (in: hFile=0x19c, lpBuffer=0x3c30058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x316fc38, lpOverlapped=0x0 | out: lpBuffer=0x3c30058*, lpNumberOfBytesRead=0x316fc38*=0x40000, lpOverlapped=0x0) returned 1 [0067.877] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.877] WriteFile (in: hFile=0x19c, lpBuffer=0x3bb0020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x316fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3bb0020*, lpNumberOfBytesWritten=0x316fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0068.948] SetEndOfFile (hFile=0x19c) returned 1 [0068.949] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x4092090 [0068.952] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fc7c | out: lpNewFilePointer=0x0) returned 1 [0068.952] WriteFile (in: hFile=0x19c, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x316fc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x316fc88*=0x40000, lpOverlapped=0x0) returned 1 [0068.953] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x8e7f86, lpNewFilePointer=0x0, dwMoveMethod=0x316fc7c | out: lpNewFilePointer=0x0) returned 1 [0068.953] WriteFile (in: hFile=0x19c, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x316fc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x316fc88*=0x40000, lpOverlapped=0x0) returned 1 [0068.956] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x1a77e94, lpNewFilePointer=0x0, dwMoveMethod=0x316fc7c | out: lpNewFilePointer=0x0) returned 1 [0068.956] WriteFile (in: hFile=0x19c, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x316fc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x316fc88*=0x40000, lpOverlapped=0x0) returned 1 [0068.959] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x4092090 | out: hHeap=0x5f0000) returned 1 [0068.959] CloseHandle (hObject=0x19c) returned 1 [0068.959] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0068.960] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0068.960] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0068.960] lstrlenW (lpString=".doc") returned 4 [0068.960] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0068.960] lstrlenW (lpString=".docx") returned 5 [0068.960] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0068.960] lstrlenW (lpString=".pdf") returned 4 [0068.960] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0068.960] lstrlenW (lpString=".xls") returned 4 [0068.960] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0068.960] lstrlenW (lpString=".xlsx") returned 5 [0068.960] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0068.960] lstrlenW (lpString=".ppt") returned 4 [0068.960] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0068.960] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0068.960] lstrlenW (lpString=".zip") returned 4 [0068.960] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0068.960] lstrlenW (lpString=".rar") returned 4 [0068.960] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0068.960] lstrlenW (lpString=".bz2") returned 4 [0068.960] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0068.961] lstrlenW (lpString=".7z") returned 3 [0068.961] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0068.961] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0068.961] lstrlenW (lpString=".dbf") returned 4 [0068.961] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0068.961] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0068.961] lstrlenW (lpString=".1cd") returned 4 [0068.961] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0068.961] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0068.961] lstrlenW (lpString=".jpg") returned 4 [0068.961] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0068.961] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0068.961] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0068.961] lstrlenW (lpString=".doc") returned 4 [0068.961] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0068.961] lstrlenW (lpString=".docx") returned 5 [0068.962] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0068.962] lstrlenW (lpString=".pdf") returned 4 [0068.962] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0068.962] lstrlenW (lpString=".xls") returned 4 [0068.962] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0068.962] lstrlenW (lpString=".xlsx") returned 5 [0068.962] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0068.962] lstrlenW (lpString=".ppt") returned 4 [0068.962] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0068.962] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0068.962] lstrlenW (lpString=".zip") returned 4 [0068.962] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0068.962] lstrlenW (lpString=".rar") returned 4 [0068.962] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0068.962] lstrlenW (lpString=".bz2") returned 4 [0068.962] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0068.962] lstrlenW (lpString=".7z") returned 3 [0068.963] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0068.963] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0068.963] lstrlenW (lpString=".dbf") returned 4 [0068.963] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0068.963] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0068.963] lstrlenW (lpString=".1cd") returned 4 [0068.963] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0068.963] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0068.963] lstrlenW (lpString=".jpg") returned 4 [0068.963] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0068.963] lstrcmpiW (lpString1=".exe", lpString2=".bmd") returned 1 [0068.963] lstrlenW (lpString="ose.exe") returned 7 [0068.963] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0068.964] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x316ff1c | out: lpFileSize=0x316ff1c*=174440) returned 1 [0068.964] CloseHandle (hObject=0x19c) returned 1 [0068.964] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe")) returned 0x2020 [0068.964] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0068.964] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0068.964] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fec8 | out: lpNewFilePointer=0x0) returned 1 [0068.964] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fec8 | out: lpNewFilePointer=0x0) returned 1 [0068.965] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0068.965] GetLastError () returned 0x0 [0068.965] ReadFile (in: hFile=0x19c, lpBuffer=0x3bb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x316fed4, lpOverlapped=0x0 | out: lpBuffer=0x3bb0020*, lpNumberOfBytesRead=0x316fed4*=0x2a968, lpOverlapped=0x0) returned 1 [0069.302] WriteFile (in: hFile=0x1f4, lpBuffer=0x3bb0020*, nNumberOfBytesToWrite=0x2a970, lpNumberOfBytesWritten=0x316fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bb0020*, lpNumberOfBytesWritten=0x316fc9c*=0x2a970, lpOverlapped=0x0) returned 1 [0069.307] ReadFile (in: hFile=0x19c, lpBuffer=0x3bb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x316fed4, lpOverlapped=0x0 | out: lpBuffer=0x3bb0020*, lpNumberOfBytesRead=0x316fed4*=0x0, lpOverlapped=0x0) returned 1 [0069.307] WriteFile (in: hFile=0x1f4, lpBuffer=0x3bb0020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x316fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bb0020*, lpNumberOfBytesWritten=0x316fc9c*=0xe2, lpOverlapped=0x0) returned 1 [0069.307] SetEndOfFile (hFile=0x1f4) returned 1 [0069.307] CloseHandle (hObject=0x1f4) returned 1 [0069.308] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fec8 | out: lpNewFilePointer=0x0) returned 1 [0069.308] SetEndOfFile (hFile=0x19c) returned 1 [0069.310] CloseHandle (hObject=0x19c) returned 1 [0069.310] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0069.311] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe")) returned 1 [0069.311] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0069.311] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0069.311] lstrlenW (lpString=".doc") returned 4 [0069.311] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0069.311] lstrlenW (lpString=".docx") returned 5 [0069.311] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0069.311] lstrlenW (lpString=".pdf") returned 4 [0069.311] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0069.311] lstrlenW (lpString=".xls") returned 4 [0069.311] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0069.311] lstrlenW (lpString=".xlsx") returned 5 [0069.311] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0069.311] lstrlenW (lpString=".ppt") returned 4 [0069.312] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0069.312] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0069.312] lstrlenW (lpString=".zip") returned 4 [0069.312] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0069.312] lstrlenW (lpString=".rar") returned 4 [0069.312] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0069.312] lstrlenW (lpString=".bz2") returned 4 [0069.312] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0069.312] lstrlenW (lpString=".7z") returned 3 [0069.312] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0069.312] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0069.312] lstrlenW (lpString=".dbf") returned 4 [0069.312] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0069.312] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0069.312] lstrlenW (lpString=".1cd") returned 4 [0069.312] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0069.312] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0069.312] lstrlenW (lpString=".jpg") returned 4 [0069.312] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0069.312] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0069.312] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0069.312] lstrlenW (lpString=".doc") returned 4 [0069.312] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0069.313] lstrlenW (lpString=".docx") returned 5 [0069.313] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0069.313] lstrlenW (lpString=".pdf") returned 4 [0069.313] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0069.313] lstrlenW (lpString=".xls") returned 4 [0069.313] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0069.313] lstrlenW (lpString=".xlsx") returned 5 [0069.313] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0069.313] lstrlenW (lpString=".ppt") returned 4 [0069.313] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0069.313] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0069.313] lstrlenW (lpString=".zip") returned 4 [0069.313] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0069.313] lstrlenW (lpString=".rar") returned 4 [0069.313] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0069.313] lstrlenW (lpString=".bz2") returned 4 [0069.313] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0069.313] lstrlenW (lpString=".7z") returned 3 [0069.313] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0069.313] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0069.313] lstrlenW (lpString=".dbf") returned 4 [0069.313] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0069.313] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0069.313] lstrlenW (lpString=".1cd") returned 4 [0069.313] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0069.313] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0069.314] lstrlenW (lpString=".jpg") returned 4 [0069.314] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0069.314] lstrcmpiW (lpString1=".cab", lpString2=".bmd") returned 1 [0069.314] lstrlenW (lpString="OWOW32WW.cab") returned 12 [0069.314] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0069.314] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x316ff1c | out: lpFileSize=0x316ff1c*=36233052) returned 1 [0069.315] CloseHandle (hObject=0x19c) returned 1 [0069.315] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab")) returned 0x2020 [0069.315] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0069.315] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 1 [0069.316] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0069.316] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fc6c | out: lpNewFilePointer=0x0) returned 1 [0069.316] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fc2c | out: lpNewFilePointer=0x0) returned 1 [0069.316] ReadFile (in: hFile=0x19c, lpBuffer=0x3bb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x316fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bb0058*, lpNumberOfBytesRead=0x316fc38*=0x40000, lpOverlapped=0x0) returned 1 [0069.320] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0xb84a74, lpNewFilePointer=0x0, dwMoveMethod=0x316fc2c | out: lpNewFilePointer=0x0) returned 1 [0069.320] ReadFile (in: hFile=0x19c, lpBuffer=0x3bf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x316fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bf0058*, lpNumberOfBytesRead=0x316fc38*=0x40000, lpOverlapped=0x0) returned 1 [0069.327] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x316fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0069.327] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x224df5c, lpNewFilePointer=0x0, dwMoveMethod=0x316fc2c | out: lpNewFilePointer=0x0) returned 1 [0069.328] ReadFile (in: hFile=0x19c, lpBuffer=0x3c30058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x316fc38, lpOverlapped=0x0 | out: lpBuffer=0x3c30058*, lpNumberOfBytesRead=0x316fc38*=0x40000, lpOverlapped=0x0) returned 1 [0069.349] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fec8 | out: lpNewFilePointer=0x0) returned 1 [0069.349] WriteFile (in: hFile=0x19c, lpBuffer=0x3bb0020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x316fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3bb0020*, lpNumberOfBytesWritten=0x316fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0069.829] SetEndOfFile (hFile=0x19c) returned 1 [0069.829] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x4092090 [0069.833] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x316fc7c | out: lpNewFilePointer=0x0) returned 1 [0069.833] WriteFile (in: hFile=0x19c, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x316fc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x316fc88*=0x40000, lpOverlapped=0x0) returned 1 [0069.834] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0xb84a74, lpNewFilePointer=0x0, dwMoveMethod=0x316fc7c | out: lpNewFilePointer=0x0) returned 1 [0069.834] WriteFile (in: hFile=0x19c, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x316fc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x316fc88*=0x40000, lpOverlapped=0x0) returned 1 [0069.836] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x224df5c, lpNewFilePointer=0x0, dwMoveMethod=0x316fc7c | out: lpNewFilePointer=0x0) returned 1 [0069.836] WriteFile (in: hFile=0x19c, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x316fc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x316fc88*=0x40000, lpOverlapped=0x0) returned 1 [0069.839] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x4092090 | out: hHeap=0x5f0000) returned 1 [0069.839] CloseHandle (hObject=0x19c) returned 1 [0069.839] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0069.839] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0069.839] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0069.839] lstrlenW (lpString=".doc") returned 4 [0069.839] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0069.839] lstrlenW (lpString=".docx") returned 5 [0069.839] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0069.840] lstrlenW (lpString=".pdf") returned 4 [0069.840] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0069.840] lstrlenW (lpString=".xls") returned 4 [0069.840] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0069.840] lstrlenW (lpString=".xlsx") returned 5 [0069.840] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0069.840] lstrlenW (lpString=".ppt") returned 4 [0069.840] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0069.840] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0069.840] lstrlenW (lpString=".zip") returned 4 [0069.840] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0069.840] lstrlenW (lpString=".rar") returned 4 [0069.840] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0069.840] lstrlenW (lpString=".bz2") returned 4 [0069.840] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0069.840] lstrlenW (lpString=".7z") returned 3 [0069.840] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0069.840] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0069.840] lstrlenW (lpString=".dbf") returned 4 [0069.840] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0069.840] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0069.840] lstrlenW (lpString=".1cd") returned 4 [0069.840] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0069.840] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0069.840] lstrlenW (lpString=".jpg") returned 4 [0069.841] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0069.841] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0069.841] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0069.841] lstrlenW (lpString=".doc") returned 4 [0069.841] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0069.841] lstrlenW (lpString=".docx") returned 5 [0069.841] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0069.841] lstrlenW (lpString=".pdf") returned 4 [0069.841] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0069.841] lstrlenW (lpString=".xls") returned 4 [0069.841] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0069.841] lstrlenW (lpString=".xlsx") returned 5 [0069.841] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0069.841] lstrlenW (lpString=".ppt") returned 4 [0069.841] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0069.841] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0069.841] lstrlenW (lpString=".zip") returned 4 [0069.841] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0069.841] lstrlenW (lpString=".rar") returned 4 [0069.841] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0069.841] lstrlenW (lpString=".bz2") returned 4 [0069.841] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0069.842] lstrlenW (lpString=".7z") returned 3 [0069.842] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0069.842] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0069.842] lstrlenW (lpString=".dbf") returned 4 [0069.842] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0069.842] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0069.842] lstrlenW (lpString=".1cd") returned 4 [0069.842] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0069.842] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0069.842] lstrlenW (lpString=".jpg") returned 4 [0069.842] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0069.842] lstrcmpiW (lpString1=".cab", lpString2=".bmd") returned 1 [0069.842] lstrlenW (lpString="ProPrWW.cab") returned 11 [0069.842] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 18 os_tid = 0x5cc [0048.376] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10000) returned 0x38e0088 [0048.376] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10000) returned 0x38f0090 [0048.376] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x646af0 [0048.376] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x6) returned 0x646f70 [0048.376] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x646b08 [0048.376] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x100000) returned 0x3cc0020 [0048.377] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x646b20 [0048.377] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x646b20, Size=0x20) returned 0x63c758 [0048.377] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x646b20 [0048.377] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x646b20, Size=0x20) returned 0x63c7a8 [0048.377] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0048.377] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0048.377] Wow64DisableWow64FsRedirection (in: OldValue=0x33bff58 | out: OldValue=0x33bff58*=0x0) returned 1 [0048.377] lstrlenW (lpString="kernel32.dll") returned 12 [0048.377] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63c758 | out: hHeap=0x5f0000) returned 1 [0048.377] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0048.377] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63c7a8 | out: hHeap=0x5f0000) returned 1 [0048.378] Sleep (dwMilliseconds=0x64) [0048.595] lstrcmpiW (lpString1=".ttf", lpString2=".bmd") returned 1 [0048.595] lstrlenW (lpString="jpn_boot.ttf") returned 12 [0048.595] CreateFileW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0048.957] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x33bff1c | out: lpFileSize=0x33bff1c*=1984228) returned 1 [0048.958] CloseHandle (hObject=0x188) returned 1 [0048.958] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf")) returned 0x20 [0048.958] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0048.958] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\jpn_boot.ttf.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0 [0048.958] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0048.958] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0048.958] lstrlenW (lpString=".doc") returned 4 [0048.958] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0048.958] lstrlenW (lpString=".docx") returned 5 [0048.958] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0048.958] lstrlenW (lpString=".pdf") returned 4 [0048.958] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0048.958] lstrlenW (lpString=".xls") returned 4 [0048.958] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0048.958] lstrlenW (lpString=".xlsx") returned 5 [0048.958] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0048.958] lstrlenW (lpString=".ppt") returned 4 [0048.958] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0048.958] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0048.958] lstrlenW (lpString=".zip") returned 4 [0048.958] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0048.958] lstrlenW (lpString=".rar") returned 4 [0048.958] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0048.958] lstrlenW (lpString=".bz2") returned 4 [0048.959] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0048.959] lstrlenW (lpString=".7z") returned 3 [0048.959] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0048.959] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0048.959] lstrlenW (lpString=".dbf") returned 4 [0048.959] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0048.959] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0048.959] lstrlenW (lpString=".1cd") returned 4 [0048.959] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0048.959] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0048.959] lstrlenW (lpString=".jpg") returned 4 [0048.959] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0048.959] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0048.959] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0048.959] lstrlenW (lpString=".doc") returned 4 [0048.959] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0048.959] lstrlenW (lpString=".docx") returned 5 [0048.959] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0048.959] lstrlenW (lpString=".pdf") returned 4 [0048.959] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0048.959] lstrlenW (lpString=".xls") returned 4 [0048.959] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0048.959] lstrlenW (lpString=".xlsx") returned 5 [0048.959] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0048.959] lstrlenW (lpString=".ppt") returned 4 [0048.959] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0048.959] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0048.959] lstrlenW (lpString=".zip") returned 4 [0048.959] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0048.959] lstrlenW (lpString=".rar") returned 4 [0048.959] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0048.959] lstrlenW (lpString=".bz2") returned 4 [0048.959] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0048.960] lstrlenW (lpString=".7z") returned 3 [0048.960] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0048.960] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0048.960] lstrlenW (lpString=".dbf") returned 4 [0048.960] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0048.960] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0048.960] lstrlenW (lpString=".1cd") returned 4 [0048.960] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0048.960] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0048.960] lstrlenW (lpString=".jpg") returned 4 [0048.960] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0048.960] lstrcmpiW (lpString1=".cab", lpString2=".bmd") returned 1 [0048.960] lstrlenW (lpString="PptLR.cab") returned 9 [0048.960] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0048.996] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x33bff1c | out: lpFileSize=0x33bff1c*=70361744) returned 1 [0048.996] CloseHandle (hObject=0x1b8) returned 1 [0048.996] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab")) returned 0x2020 [0048.996] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0048.996] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 1 [0048.997] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0048.997] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc6c | out: lpNewFilePointer=0x0) returned 1 [0048.997] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc2c | out: lpNewFilePointer=0x0) returned 1 [0048.997] ReadFile (in: hFile=0x1b8, lpBuffer=0x3cc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x33bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3cc0058*, lpNumberOfBytesRead=0x33bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.618] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x165e0da, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc2c | out: lpNewFilePointer=0x0) returned 1 [0049.618] ReadFile (in: hFile=0x1b8, lpBuffer=0x3d00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x33bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3d00058*, lpNumberOfBytesRead=0x33bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.659] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x33bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0049.659] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x42da290, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc2c | out: lpNewFilePointer=0x0) returned 1 [0049.659] ReadFile (in: hFile=0x1b8, lpBuffer=0x3d40058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x33bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3d40058*, lpNumberOfBytesRead=0x33bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0050.960] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.961] WriteFile (in: hFile=0x1b8, lpBuffer=0x3cc0020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x33bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3cc0020*, lpNumberOfBytesWritten=0x33bfcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0051.121] SetEndOfFile (hFile=0x1b8) returned 1 [0051.121] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x4033078 [0051.348] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc7c | out: lpNewFilePointer=0x0) returned 1 [0051.348] WriteFile (in: hFile=0x1b8, lpBuffer=0x4033078*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x33bfc88, lpOverlapped=0x0 | out: lpBuffer=0x4033078*, lpNumberOfBytesWritten=0x33bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0051.349] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x165e0da, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc7c | out: lpNewFilePointer=0x0) returned 1 [0051.349] WriteFile (in: hFile=0x1b8, lpBuffer=0x4033078*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x33bfc88, lpOverlapped=0x0 | out: lpBuffer=0x4033078*, lpNumberOfBytesWritten=0x33bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0051.350] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x42da290, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc7c | out: lpNewFilePointer=0x0) returned 1 [0051.350] WriteFile (in: hFile=0x1b8, lpBuffer=0x4033078*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x33bfc88, lpOverlapped=0x0 | out: lpBuffer=0x4033078*, lpNumberOfBytesWritten=0x33bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0051.352] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x4033078 | out: hHeap=0x5f0000) returned 1 [0051.352] CloseHandle (hObject=0x1b8) returned 1 [0053.609] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0053.609] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0053.609] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0053.609] lstrlenW (lpString=".doc") returned 4 [0053.609] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0053.609] lstrlenW (lpString=".docx") returned 5 [0053.609] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0053.609] lstrlenW (lpString=".pdf") returned 4 [0053.609] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0053.609] lstrlenW (lpString=".xls") returned 4 [0053.609] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0053.610] lstrlenW (lpString=".xlsx") returned 5 [0053.610] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0053.610] lstrlenW (lpString=".ppt") returned 4 [0053.610] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0053.610] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0053.610] lstrlenW (lpString=".zip") returned 4 [0053.610] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0053.610] lstrlenW (lpString=".rar") returned 4 [0053.610] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0053.610] lstrlenW (lpString=".bz2") returned 4 [0053.610] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0053.610] lstrlenW (lpString=".7z") returned 3 [0053.610] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0053.610] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0053.610] lstrlenW (lpString=".dbf") returned 4 [0053.610] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0053.610] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0053.610] lstrlenW (lpString=".1cd") returned 4 [0053.610] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0053.610] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0053.610] lstrlenW (lpString=".jpg") returned 4 [0053.610] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0053.610] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0053.610] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0053.610] lstrlenW (lpString=".doc") returned 4 [0053.610] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0053.611] lstrlenW (lpString=".docx") returned 5 [0053.611] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0053.611] lstrlenW (lpString=".pdf") returned 4 [0053.611] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0053.611] lstrlenW (lpString=".xls") returned 4 [0053.611] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0053.611] lstrlenW (lpString=".xlsx") returned 5 [0053.611] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0053.611] lstrlenW (lpString=".ppt") returned 4 [0053.611] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0053.611] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0053.611] lstrlenW (lpString=".zip") returned 4 [0053.611] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0053.611] lstrlenW (lpString=".rar") returned 4 [0053.611] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0053.611] lstrlenW (lpString=".bz2") returned 4 [0053.611] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0053.611] lstrlenW (lpString=".7z") returned 3 [0053.612] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0053.612] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0053.612] lstrlenW (lpString=".dbf") returned 4 [0053.612] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0053.612] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0053.612] lstrlenW (lpString=".1cd") returned 4 [0053.612] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0053.612] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0053.612] lstrlenW (lpString=".jpg") returned 4 [0053.612] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0053.612] lstrcmpiW (lpString1=".msi", lpString2=".bmd") returned 1 [0053.612] lstrlenW (lpString="OutlookMUI.msi") returned 14 [0053.612] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0053.613] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x33bff1c | out: lpFileSize=0x33bff1c*=2865664) returned 1 [0053.613] CloseHandle (hObject=0x1b8) returned 1 [0053.613] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi")) returned 0x2020 [0053.613] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0053.613] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 1 [0053.613] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0053.614] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc6c | out: lpNewFilePointer=0x0) returned 1 [0053.614] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc2c | out: lpNewFilePointer=0x0) returned 1 [0053.614] ReadFile (in: hFile=0x1b8, lpBuffer=0x3cc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x33bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3cc0058*, lpNumberOfBytesRead=0x33bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0053.727] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0xe9355, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc2c | out: lpNewFilePointer=0x0) returned 1 [0053.727] ReadFile (in: hFile=0x1b8, lpBuffer=0x3d00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x33bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3d00058*, lpNumberOfBytesRead=0x33bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0053.738] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x33bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0053.738] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x27ba00, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc2c | out: lpNewFilePointer=0x0) returned 1 [0053.738] ReadFile (in: hFile=0x1b8, lpBuffer=0x3d40058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x33bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3d40058*, lpNumberOfBytesRead=0x33bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0053.766] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.766] WriteFile (in: hFile=0x1b8, lpBuffer=0x3cc0020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x33bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3cc0020*, lpNumberOfBytesWritten=0x33bfcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0054.524] SetEndOfFile (hFile=0x1b8) returned 1 [0054.524] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x40b20a0 [0054.524] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc7c | out: lpNewFilePointer=0x0) returned 1 [0054.524] WriteFile (in: hFile=0x1b8, lpBuffer=0x40b20a0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x33bfc88, lpOverlapped=0x0 | out: lpBuffer=0x40b20a0*, lpNumberOfBytesWritten=0x33bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0054.526] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0xe9355, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc7c | out: lpNewFilePointer=0x0) returned 1 [0054.526] WriteFile (in: hFile=0x1b8, lpBuffer=0x40b20a0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x33bfc88, lpOverlapped=0x0 | out: lpBuffer=0x40b20a0*, lpNumberOfBytesWritten=0x33bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0054.531] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x27ba00, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc7c | out: lpNewFilePointer=0x0) returned 1 [0054.531] WriteFile (in: hFile=0x1b8, lpBuffer=0x40b20a0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x33bfc88, lpOverlapped=0x0 | out: lpBuffer=0x40b20a0*, lpNumberOfBytesWritten=0x33bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0054.533] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x40b20a0 | out: hHeap=0x5f0000) returned 1 [0054.533] CloseHandle (hObject=0x1b8) returned 1 [0056.196] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0056.196] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0056.196] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0056.196] lstrlenW (lpString=".doc") returned 4 [0056.196] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0056.196] lstrlenW (lpString=".docx") returned 5 [0056.196] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0056.196] lstrlenW (lpString=".pdf") returned 4 [0056.196] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0056.196] lstrlenW (lpString=".xls") returned 4 [0056.196] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0056.196] lstrlenW (lpString=".xlsx") returned 5 [0056.196] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0056.197] lstrlenW (lpString=".ppt") returned 4 [0056.197] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0056.197] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0056.197] lstrlenW (lpString=".zip") returned 4 [0056.197] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0056.197] lstrlenW (lpString=".rar") returned 4 [0056.197] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0056.197] lstrlenW (lpString=".bz2") returned 4 [0056.197] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0056.197] lstrlenW (lpString=".7z") returned 3 [0056.197] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0056.197] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0056.197] lstrlenW (lpString=".dbf") returned 4 [0056.197] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0056.197] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0056.197] lstrlenW (lpString=".1cd") returned 4 [0056.197] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0056.197] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0056.197] lstrlenW (lpString=".jpg") returned 4 [0056.197] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0056.197] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0056.197] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0056.197] lstrlenW (lpString=".doc") returned 4 [0056.197] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0056.197] lstrlenW (lpString=".docx") returned 5 [0056.197] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0056.197] lstrlenW (lpString=".pdf") returned 4 [0056.197] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0056.197] lstrlenW (lpString=".xls") returned 4 [0056.197] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0056.197] lstrlenW (lpString=".xlsx") returned 5 [0056.197] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0056.197] lstrlenW (lpString=".ppt") returned 4 [0056.197] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0056.198] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0056.198] lstrlenW (lpString=".zip") returned 4 [0056.198] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0056.198] lstrlenW (lpString=".rar") returned 4 [0056.198] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0056.198] lstrlenW (lpString=".bz2") returned 4 [0056.198] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0056.198] lstrlenW (lpString=".7z") returned 3 [0056.198] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0056.198] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0056.198] lstrlenW (lpString=".dbf") returned 4 [0056.198] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0056.198] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0056.198] lstrlenW (lpString=".1cd") returned 4 [0056.198] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0056.198] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0056.198] lstrlenW (lpString=".jpg") returned 4 [0056.198] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0056.199] lstrcmpiW (lpString1=".msi", lpString2=".bmd") returned 1 [0056.199] lstrlenW (lpString="WordMUI.msi") returned 11 [0056.199] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0056.199] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x33bff1c | out: lpFileSize=0x33bff1c*=2522624) returned 1 [0056.200] CloseHandle (hObject=0x1b8) returned 1 [0056.200] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi")) returned 0x2020 [0056.200] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0056.200] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 1 [0056.201] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0056.202] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc6c | out: lpNewFilePointer=0x0) returned 1 [0056.202] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc2c | out: lpNewFilePointer=0x0) returned 1 [0056.202] ReadFile (in: hFile=0x1b8, lpBuffer=0x3cc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x33bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3cc0058*, lpNumberOfBytesRead=0x33bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0057.765] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0xcd4aa, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc2c | out: lpNewFilePointer=0x0) returned 1 [0057.765] ReadFile (in: hFile=0x1b8, lpBuffer=0x3d00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x33bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3d00058*, lpNumberOfBytesRead=0x33bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0057.934] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x33bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0057.934] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x227e00, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc2c | out: lpNewFilePointer=0x0) returned 1 [0057.934] ReadFile (in: hFile=0x1b8, lpBuffer=0x3d40058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x33bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3d40058*, lpNumberOfBytesRead=0x33bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0058.002] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec8 | out: lpNewFilePointer=0x0) returned 1 [0058.002] WriteFile (in: hFile=0x1b8, lpBuffer=0x3cc0020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x33bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3cc0020*, lpNumberOfBytesWritten=0x33bfcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0058.255] SetEndOfFile (hFile=0x1b8) returned 1 [0058.256] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x40b20a0 [0058.364] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc7c | out: lpNewFilePointer=0x0) returned 1 [0058.364] WriteFile (in: hFile=0x1b8, lpBuffer=0x40b20a0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x33bfc88, lpOverlapped=0x0 | out: lpBuffer=0x40b20a0*, lpNumberOfBytesWritten=0x33bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0058.366] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0xcd4aa, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc7c | out: lpNewFilePointer=0x0) returned 1 [0058.366] WriteFile (in: hFile=0x1b8, lpBuffer=0x40b20a0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x33bfc88, lpOverlapped=0x0 | out: lpBuffer=0x40b20a0*, lpNumberOfBytesWritten=0x33bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0058.374] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x227e00, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc7c | out: lpNewFilePointer=0x0) returned 1 [0058.374] WriteFile (in: hFile=0x1b8, lpBuffer=0x40b20a0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x33bfc88, lpOverlapped=0x0 | out: lpBuffer=0x40b20a0*, lpNumberOfBytesWritten=0x33bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0058.378] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x40b20a0 | out: hHeap=0x5f0000) returned 1 [0058.378] CloseHandle (hObject=0x1b8) returned 1 [0059.083] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0059.084] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0059.084] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0059.084] lstrlenW (lpString=".doc") returned 4 [0059.084] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0059.084] lstrlenW (lpString=".docx") returned 5 [0059.084] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0059.084] lstrlenW (lpString=".pdf") returned 4 [0059.084] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0059.084] lstrlenW (lpString=".xls") returned 4 [0059.084] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0059.084] lstrlenW (lpString=".xlsx") returned 5 [0059.084] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0059.084] lstrlenW (lpString=".ppt") returned 4 [0059.084] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0059.084] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0059.084] lstrlenW (lpString=".zip") returned 4 [0059.084] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0059.084] lstrlenW (lpString=".rar") returned 4 [0059.084] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0059.085] lstrlenW (lpString=".bz2") returned 4 [0059.085] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0059.085] lstrlenW (lpString=".7z") returned 3 [0059.085] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0059.085] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0059.085] lstrlenW (lpString=".dbf") returned 4 [0059.085] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0059.085] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0059.085] lstrlenW (lpString=".1cd") returned 4 [0059.085] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0059.085] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0059.085] lstrlenW (lpString=".jpg") returned 4 [0059.085] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0059.085] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0059.085] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0059.085] lstrlenW (lpString=".doc") returned 4 [0059.085] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0059.085] lstrlenW (lpString=".docx") returned 5 [0059.085] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0059.085] lstrlenW (lpString=".pdf") returned 4 [0059.085] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0059.085] lstrlenW (lpString=".xls") returned 4 [0059.085] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0059.085] lstrlenW (lpString=".xlsx") returned 5 [0059.086] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0059.086] lstrlenW (lpString=".ppt") returned 4 [0059.086] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0059.086] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0059.086] lstrlenW (lpString=".zip") returned 4 [0059.086] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0059.086] lstrlenW (lpString=".rar") returned 4 [0059.086] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0059.086] lstrlenW (lpString=".bz2") returned 4 [0059.086] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0059.086] lstrlenW (lpString=".7z") returned 3 [0059.086] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0059.086] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0059.086] lstrlenW (lpString=".dbf") returned 4 [0059.086] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0059.086] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0059.086] lstrlenW (lpString=".1cd") returned 4 [0059.086] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0059.086] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0059.086] lstrlenW (lpString=".jpg") returned 4 [0059.086] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0059.087] lstrcmpiW (lpString1=".msi", lpString2=".bmd") returned 1 [0059.087] lstrlenW (lpString="Proof.msi") returned 9 [0059.087] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0059.087] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x33bff1c | out: lpFileSize=0x33bff1c*=881152) returned 1 [0059.087] CloseHandle (hObject=0x1b8) returned 1 [0059.088] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi")) returned 0x2020 [0059.088] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0059.088] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0059.088] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec8 | out: lpNewFilePointer=0x0) returned 1 [0059.088] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec8 | out: lpNewFilePointer=0x0) returned 1 [0059.088] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0059.088] GetLastError () returned 0x0 [0059.089] ReadFile (in: hFile=0x1b8, lpBuffer=0x3cc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x33bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3cc0020*, lpNumberOfBytesRead=0x33bfed4*=0xd7200, lpOverlapped=0x0) returned 1 [0059.308] WriteFile (in: hFile=0x184, lpBuffer=0x3cc0020*, nNumberOfBytesToWrite=0xd7210, lpNumberOfBytesWritten=0x33bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cc0020*, lpNumberOfBytesWritten=0x33bfc9c*=0xd7210, lpOverlapped=0x0) returned 1 [0059.324] ReadFile (in: hFile=0x1b8, lpBuffer=0x3cc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x33bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3cc0020*, lpNumberOfBytesRead=0x33bfed4*=0x0, lpOverlapped=0x0) returned 1 [0059.324] WriteFile (in: hFile=0x184, lpBuffer=0x3cc0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x33bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cc0020*, lpNumberOfBytesWritten=0x33bfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0059.324] SetEndOfFile (hFile=0x184) returned 1 [0059.325] CloseHandle (hObject=0x184) returned 1 [0059.335] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec8 | out: lpNewFilePointer=0x0) returned 1 [0059.335] SetEndOfFile (hFile=0x1b8) returned 1 [0059.636] CloseHandle (hObject=0x1b8) returned 1 [0059.636] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0059.637] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi")) returned 1 [0059.637] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0059.637] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0059.637] lstrlenW (lpString=".doc") returned 4 [0059.637] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0059.637] lstrlenW (lpString=".docx") returned 5 [0059.637] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0059.637] lstrlenW (lpString=".pdf") returned 4 [0059.637] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0059.637] lstrlenW (lpString=".xls") returned 4 [0059.637] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0059.637] lstrlenW (lpString=".xlsx") returned 5 [0059.637] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0059.637] lstrlenW (lpString=".ppt") returned 4 [0059.637] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0059.637] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0059.637] lstrlenW (lpString=".zip") returned 4 [0059.637] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0059.637] lstrlenW (lpString=".rar") returned 4 [0059.637] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0059.637] lstrlenW (lpString=".bz2") returned 4 [0059.638] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0059.638] lstrlenW (lpString=".7z") returned 3 [0059.638] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0059.638] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0059.638] lstrlenW (lpString=".dbf") returned 4 [0059.638] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0059.638] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0059.638] lstrlenW (lpString=".1cd") returned 4 [0059.638] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0059.638] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0059.638] lstrlenW (lpString=".jpg") returned 4 [0059.638] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0059.638] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0059.638] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0059.638] lstrlenW (lpString=".doc") returned 4 [0059.638] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0059.638] lstrlenW (lpString=".docx") returned 5 [0059.638] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0059.638] lstrlenW (lpString=".pdf") returned 4 [0059.638] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0059.638] lstrlenW (lpString=".xls") returned 4 [0059.638] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0059.638] lstrlenW (lpString=".xlsx") returned 5 [0059.638] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0059.639] lstrlenW (lpString=".ppt") returned 4 [0059.639] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0059.639] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0059.639] lstrlenW (lpString=".zip") returned 4 [0059.639] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0059.639] lstrlenW (lpString=".rar") returned 4 [0059.639] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0059.639] lstrlenW (lpString=".bz2") returned 4 [0059.639] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0059.639] lstrlenW (lpString=".7z") returned 3 [0059.639] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0059.639] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0059.639] lstrlenW (lpString=".dbf") returned 4 [0059.639] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0059.639] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0059.639] lstrlenW (lpString=".1cd") returned 4 [0059.639] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0059.639] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0059.639] lstrlenW (lpString=".jpg") returned 4 [0059.639] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0059.639] lstrcmpiW (lpString1=".msi", lpString2=".bmd") returned 1 [0059.639] lstrlenW (lpString="Proof.msi") returned 9 [0059.640] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0061.088] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x33bff1c | out: lpFileSize=0x33bff1c*=885760) returned 1 [0061.089] CloseHandle (hObject=0x190) returned 1 [0061.089] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi")) returned 0x2020 [0061.089] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0061.089] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0061.089] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec8 | out: lpNewFilePointer=0x0) returned 1 [0061.089] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec8 | out: lpNewFilePointer=0x0) returned 1 [0061.089] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0061.089] GetLastError () returned 0x0 [0061.089] ReadFile (in: hFile=0x190, lpBuffer=0x3cc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x33bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3cc0020*, lpNumberOfBytesRead=0x33bfed4*=0xd8400, lpOverlapped=0x0) returned 1 [0061.209] WriteFile (in: hFile=0x1d0, lpBuffer=0x3cc0020*, nNumberOfBytesToWrite=0xd8410, lpNumberOfBytesWritten=0x33bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cc0020*, lpNumberOfBytesWritten=0x33bfc9c*=0xd8410, lpOverlapped=0x0) returned 1 [0061.972] ReadFile (in: hFile=0x190, lpBuffer=0x3cc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x33bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3cc0020*, lpNumberOfBytesRead=0x33bfed4*=0x0, lpOverlapped=0x0) returned 1 [0061.972] WriteFile (in: hFile=0x1d0, lpBuffer=0x3cc0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x33bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cc0020*, lpNumberOfBytesWritten=0x33bfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0061.972] SetEndOfFile (hFile=0x1d0) returned 1 [0061.973] CloseHandle (hObject=0x1d0) returned 1 [0061.984] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec8 | out: lpNewFilePointer=0x0) returned 1 [0061.984] SetEndOfFile (hFile=0x190) returned 1 [0061.994] CloseHandle (hObject=0x190) returned 1 [0061.994] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0061.995] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi")) returned 1 [0061.995] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0061.995] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0061.995] lstrlenW (lpString=".doc") returned 4 [0061.995] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0061.996] lstrlenW (lpString=".docx") returned 5 [0061.996] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0061.996] lstrlenW (lpString=".pdf") returned 4 [0061.996] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0061.996] lstrlenW (lpString=".xls") returned 4 [0061.996] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0061.996] lstrlenW (lpString=".xlsx") returned 5 [0061.996] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0061.996] lstrlenW (lpString=".ppt") returned 4 [0061.996] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0061.996] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0061.996] lstrlenW (lpString=".zip") returned 4 [0061.996] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0061.996] lstrlenW (lpString=".rar") returned 4 [0061.996] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0061.996] lstrlenW (lpString=".bz2") returned 4 [0061.996] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0061.996] lstrlenW (lpString=".7z") returned 3 [0061.996] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0061.996] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0061.997] lstrlenW (lpString=".dbf") returned 4 [0061.997] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0061.997] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0061.997] lstrlenW (lpString=".1cd") returned 4 [0061.997] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0061.997] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0061.997] lstrlenW (lpString=".jpg") returned 4 [0061.997] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0061.997] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0061.997] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0061.997] lstrlenW (lpString=".doc") returned 4 [0061.997] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0061.997] lstrlenW (lpString=".docx") returned 5 [0061.997] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0061.997] lstrlenW (lpString=".pdf") returned 4 [0061.997] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0061.997] lstrlenW (lpString=".xls") returned 4 [0061.997] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0061.997] lstrlenW (lpString=".xlsx") returned 5 [0061.997] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0061.997] lstrlenW (lpString=".ppt") returned 4 [0061.998] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0061.998] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0061.998] lstrlenW (lpString=".zip") returned 4 [0061.998] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0061.998] lstrlenW (lpString=".rar") returned 4 [0061.998] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0061.998] lstrlenW (lpString=".bz2") returned 4 [0061.998] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0061.998] lstrlenW (lpString=".7z") returned 3 [0061.998] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0061.998] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0061.998] lstrlenW (lpString=".dbf") returned 4 [0061.998] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0061.998] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0061.998] lstrlenW (lpString=".1cd") returned 4 [0061.998] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0061.999] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0061.999] lstrlenW (lpString=".jpg") returned 4 [0061.999] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0061.999] lstrcmpiW (lpString1=".cab", lpString2=".bmd") returned 1 [0061.999] lstrlenW (lpString="OWOW32LR.cab") returned 12 [0061.999] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0062.000] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x33bff1c | out: lpFileSize=0x33bff1c*=2928955) returned 1 [0062.000] CloseHandle (hObject=0x190) returned 1 [0062.000] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab")) returned 0x2020 [0062.000] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0062.000] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 1 [0062.001] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0062.001] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc6c | out: lpNewFilePointer=0x0) returned 1 [0062.001] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc2c | out: lpNewFilePointer=0x0) returned 1 [0062.001] ReadFile (in: hFile=0x190, lpBuffer=0x3cc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x33bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3cc0058*, lpNumberOfBytesRead=0x33bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0062.307] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0xee5be, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc2c | out: lpNewFilePointer=0x0) returned 1 [0062.307] ReadFile (in: hFile=0x190, lpBuffer=0x3d00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x33bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3d00058*, lpNumberOfBytesRead=0x33bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0062.385] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x33bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0062.385] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x28b13b, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc2c | out: lpNewFilePointer=0x0) returned 1 [0062.385] ReadFile (in: hFile=0x190, lpBuffer=0x3d40058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x33bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3d40058*, lpNumberOfBytesRead=0x33bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0062.499] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec8 | out: lpNewFilePointer=0x0) returned 1 [0062.499] WriteFile (in: hFile=0x190, lpBuffer=0x3cc0020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x33bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3cc0020*, lpNumberOfBytesWritten=0x33bfcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0062.937] SetEndOfFile (hFile=0x190) returned 1 [0062.937] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x4092090 [0062.937] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc7c | out: lpNewFilePointer=0x0) returned 1 [0062.938] WriteFile (in: hFile=0x190, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x33bfc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x33bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0062.947] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0xee5be, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc7c | out: lpNewFilePointer=0x0) returned 1 [0062.947] WriteFile (in: hFile=0x190, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x33bfc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x33bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0062.952] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x28b13b, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc7c | out: lpNewFilePointer=0x0) returned 1 [0062.952] WriteFile (in: hFile=0x190, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x33bfc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x33bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0062.954] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x4092090 | out: hHeap=0x5f0000) returned 1 [0062.954] CloseHandle (hObject=0x190) returned 1 [0062.954] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0062.955] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0062.955] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0062.955] lstrlenW (lpString=".doc") returned 4 [0062.955] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0062.955] lstrlenW (lpString=".docx") returned 5 [0062.955] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0062.955] lstrlenW (lpString=".pdf") returned 4 [0062.955] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0062.955] lstrlenW (lpString=".xls") returned 4 [0062.955] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0062.955] lstrlenW (lpString=".xlsx") returned 5 [0062.955] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0062.955] lstrlenW (lpString=".ppt") returned 4 [0062.955] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0062.955] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0062.955] lstrlenW (lpString=".zip") returned 4 [0062.955] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0062.955] lstrlenW (lpString=".rar") returned 4 [0062.955] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0062.956] lstrlenW (lpString=".bz2") returned 4 [0062.956] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0062.956] lstrlenW (lpString=".7z") returned 3 [0062.956] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0062.956] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0062.956] lstrlenW (lpString=".dbf") returned 4 [0062.956] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0062.956] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0062.956] lstrlenW (lpString=".1cd") returned 4 [0062.956] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0062.956] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0062.956] lstrlenW (lpString=".jpg") returned 4 [0062.956] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0062.956] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0062.956] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0062.956] lstrlenW (lpString=".doc") returned 4 [0062.956] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0062.956] lstrlenW (lpString=".docx") returned 5 [0062.956] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0062.956] lstrlenW (lpString=".pdf") returned 4 [0062.956] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0062.956] lstrlenW (lpString=".xls") returned 4 [0062.956] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0062.956] lstrlenW (lpString=".xlsx") returned 5 [0062.956] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0062.956] lstrlenW (lpString=".ppt") returned 4 [0062.956] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0062.956] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0062.956] lstrlenW (lpString=".zip") returned 4 [0062.956] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0062.957] lstrlenW (lpString=".rar") returned 4 [0062.957] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0062.957] lstrlenW (lpString=".bz2") returned 4 [0062.957] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0062.957] lstrlenW (lpString=".7z") returned 3 [0062.957] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0062.957] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0062.957] lstrlenW (lpString=".dbf") returned 4 [0062.957] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0062.957] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0062.957] lstrlenW (lpString=".1cd") returned 4 [0062.957] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0062.957] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0062.957] lstrlenW (lpString=".jpg") returned 4 [0062.957] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0062.957] lstrcmpiW (lpString1=".cab", lpString2=".bmd") returned 1 [0062.957] lstrlenW (lpString="VisioLR.cab") returned 11 [0062.957] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0062.958] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x33bff1c | out: lpFileSize=0x33bff1c*=50823389) returned 1 [0062.958] CloseHandle (hObject=0x190) returned 1 [0062.958] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab")) returned 0x2020 [0062.958] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0062.958] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 1 [0062.958] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0062.958] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc6c | out: lpNewFilePointer=0x0) returned 1 [0062.959] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc2c | out: lpNewFilePointer=0x0) returned 1 [0062.959] ReadFile (in: hFile=0x190, lpBuffer=0x3cc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x33bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3cc0058*, lpNumberOfBytesRead=0x33bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0063.849] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x1028049, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc2c | out: lpNewFilePointer=0x0) returned 1 [0063.849] ReadFile (in: hFile=0x190, lpBuffer=0x3d00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x33bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3d00058*, lpNumberOfBytesRead=0x33bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0064.136] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x33bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0064.136] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x30380dd, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc2c | out: lpNewFilePointer=0x0) returned 1 [0064.136] ReadFile (in: hFile=0x190, lpBuffer=0x3d40058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x33bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3d40058*, lpNumberOfBytesRead=0x33bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0064.924] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec8 | out: lpNewFilePointer=0x0) returned 1 [0064.925] WriteFile (in: hFile=0x190, lpBuffer=0x3cc0020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x33bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3cc0020*, lpNumberOfBytesWritten=0x33bfcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0065.269] SetEndOfFile (hFile=0x190) returned 1 [0065.270] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x4092090 [0065.270] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc7c | out: lpNewFilePointer=0x0) returned 1 [0065.270] WriteFile (in: hFile=0x190, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x33bfc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x33bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0065.271] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x1028049, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc7c | out: lpNewFilePointer=0x0) returned 1 [0065.271] WriteFile (in: hFile=0x190, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x33bfc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x33bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0065.272] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x30380dd, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc7c | out: lpNewFilePointer=0x0) returned 1 [0065.272] WriteFile (in: hFile=0x190, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x33bfc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x33bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0065.274] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x4092090 | out: hHeap=0x5f0000) returned 1 [0065.274] CloseHandle (hObject=0x190) returned 1 [0065.275] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0065.275] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0065.275] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0065.275] lstrlenW (lpString=".doc") returned 4 [0065.275] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0065.275] lstrlenW (lpString=".docx") returned 5 [0065.275] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0065.275] lstrlenW (lpString=".pdf") returned 4 [0065.276] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0065.276] lstrlenW (lpString=".xls") returned 4 [0065.276] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0065.276] lstrlenW (lpString=".xlsx") returned 5 [0065.276] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0065.276] lstrlenW (lpString=".ppt") returned 4 [0065.276] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0065.276] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0065.276] lstrlenW (lpString=".zip") returned 4 [0065.276] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0065.276] lstrlenW (lpString=".rar") returned 4 [0065.276] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0065.276] lstrlenW (lpString=".bz2") returned 4 [0065.276] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0065.276] lstrlenW (lpString=".7z") returned 3 [0065.276] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0065.276] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0065.276] lstrlenW (lpString=".dbf") returned 4 [0065.276] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0065.276] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0065.276] lstrlenW (lpString=".1cd") returned 4 [0065.276] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0065.276] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0065.276] lstrlenW (lpString=".jpg") returned 4 [0065.276] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0065.276] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0065.276] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0065.277] lstrlenW (lpString=".doc") returned 4 [0065.277] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0065.277] lstrlenW (lpString=".docx") returned 5 [0065.277] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0065.277] lstrlenW (lpString=".pdf") returned 4 [0065.277] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0065.277] lstrlenW (lpString=".xls") returned 4 [0065.277] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0065.277] lstrlenW (lpString=".xlsx") returned 5 [0065.277] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0065.277] lstrlenW (lpString=".ppt") returned 4 [0065.277] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0065.277] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0065.277] lstrlenW (lpString=".zip") returned 4 [0065.277] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0065.277] lstrlenW (lpString=".rar") returned 4 [0065.277] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0065.277] lstrlenW (lpString=".bz2") returned 4 [0065.277] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0065.277] lstrlenW (lpString=".7z") returned 3 [0065.277] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0065.277] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0065.277] lstrlenW (lpString=".dbf") returned 4 [0065.277] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0065.277] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0065.277] lstrlenW (lpString=".1cd") returned 4 [0065.277] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0065.277] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0065.278] lstrlenW (lpString=".jpg") returned 4 [0065.278] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0065.328] lstrcmpiW (lpString1=".cab", lpString2=".bmd") returned 1 [0065.328] lstrlenW (lpString="GrooveLR.cab") returned 12 [0065.328] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0065.329] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x33bff1c | out: lpFileSize=0x33bff1c*=4095519) returned 1 [0065.329] CloseHandle (hObject=0x1d4) returned 1 [0065.329] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab")) returned 0x2020 [0065.329] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0065.329] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 1 [0065.330] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0065.330] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc6c | out: lpNewFilePointer=0x0) returned 1 [0065.330] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc2c | out: lpNewFilePointer=0x0) returned 1 [0065.331] ReadFile (in: hFile=0x1d4, lpBuffer=0x3cc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x33bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3cc0058*, lpNumberOfBytesRead=0x33bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0065.340] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x14d4b5, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc2c | out: lpNewFilePointer=0x0) returned 1 [0065.340] ReadFile (in: hFile=0x1d4, lpBuffer=0x3d00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x33bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3d00058*, lpNumberOfBytesRead=0x33bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0065.351] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x33bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0065.351] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x3a7e1f, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc2c | out: lpNewFilePointer=0x0) returned 1 [0065.351] ReadFile (in: hFile=0x1d4, lpBuffer=0x3d40058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x33bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3d40058*, lpNumberOfBytesRead=0x33bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0065.379] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec8 | out: lpNewFilePointer=0x0) returned 1 [0065.379] WriteFile (in: hFile=0x1d4, lpBuffer=0x3cc0020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x33bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3cc0020*, lpNumberOfBytesWritten=0x33bfcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0066.584] SetEndOfFile (hFile=0x1d4) returned 1 [0066.585] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x4092090 [0066.588] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc7c | out: lpNewFilePointer=0x0) returned 1 [0066.588] WriteFile (in: hFile=0x1d4, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x33bfc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x33bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0066.591] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x14d4b5, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc7c | out: lpNewFilePointer=0x0) returned 1 [0066.591] WriteFile (in: hFile=0x1d4, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x33bfc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x33bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0066.594] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x3a7e1f, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc7c | out: lpNewFilePointer=0x0) returned 1 [0066.594] WriteFile (in: hFile=0x1d4, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x33bfc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x33bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0066.597] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x4092090 | out: hHeap=0x5f0000) returned 1 [0066.597] CloseHandle (hObject=0x1d4) returned 1 [0066.598] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0066.598] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0066.598] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0066.598] lstrlenW (lpString=".doc") returned 4 [0066.598] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0066.598] lstrlenW (lpString=".docx") returned 5 [0066.598] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0066.598] lstrlenW (lpString=".pdf") returned 4 [0066.598] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0066.598] lstrlenW (lpString=".xls") returned 4 [0066.598] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0066.598] lstrlenW (lpString=".xlsx") returned 5 [0066.599] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0066.599] lstrlenW (lpString=".ppt") returned 4 [0066.599] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0066.599] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0066.599] lstrlenW (lpString=".zip") returned 4 [0066.599] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0066.599] lstrlenW (lpString=".rar") returned 4 [0066.599] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0066.599] lstrlenW (lpString=".bz2") returned 4 [0066.599] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0066.599] lstrlenW (lpString=".7z") returned 3 [0066.599] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0066.599] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0066.599] lstrlenW (lpString=".dbf") returned 4 [0066.599] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0066.599] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0066.599] lstrlenW (lpString=".1cd") returned 4 [0066.599] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0066.599] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0066.599] lstrlenW (lpString=".jpg") returned 4 [0066.599] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0066.599] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0066.599] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0066.599] lstrlenW (lpString=".doc") returned 4 [0066.600] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0066.600] lstrlenW (lpString=".docx") returned 5 [0066.600] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0066.600] lstrlenW (lpString=".pdf") returned 4 [0066.600] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0066.600] lstrlenW (lpString=".xls") returned 4 [0066.600] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0066.600] lstrlenW (lpString=".xlsx") returned 5 [0066.600] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0066.600] lstrlenW (lpString=".ppt") returned 4 [0066.600] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0066.600] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0066.600] lstrlenW (lpString=".zip") returned 4 [0066.600] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0066.600] lstrlenW (lpString=".rar") returned 4 [0066.600] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0066.600] lstrlenW (lpString=".bz2") returned 4 [0066.600] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0066.600] lstrlenW (lpString=".7z") returned 3 [0066.600] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0066.600] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0066.600] lstrlenW (lpString=".dbf") returned 4 [0066.600] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0066.600] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0066.600] lstrlenW (lpString=".1cd") returned 4 [0066.600] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0066.600] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0066.600] lstrlenW (lpString=".jpg") returned 4 [0066.600] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0066.601] lstrcmpiW (lpString1=".dll", lpString2=".bmd") returned 1 [0066.601] lstrlenW (lpString="dwintl20.dll") returned 12 [0066.601] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0066.601] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x33bff1c | out: lpFileSize=0x33bff1c*=107912) returned 1 [0066.601] CloseHandle (hObject=0x1d4) returned 1 [0066.601] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll")) returned 0x2020 [0066.602] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0066.602] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0066.602] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec8 | out: lpNewFilePointer=0x0) returned 1 [0066.602] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec8 | out: lpNewFilePointer=0x0) returned 1 [0066.602] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0067.371] GetLastError () returned 0x0 [0067.371] ReadFile (in: hFile=0x1d4, lpBuffer=0x3cc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x33bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3cc0020*, lpNumberOfBytesRead=0x33bfed4*=0x1a588, lpOverlapped=0x0) returned 1 [0067.380] WriteFile (in: hFile=0x1ac, lpBuffer=0x3cc0020*, nNumberOfBytesToWrite=0x1a590, lpNumberOfBytesWritten=0x33bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cc0020*, lpNumberOfBytesWritten=0x33bfc9c*=0x1a590, lpOverlapped=0x0) returned 1 [0067.384] ReadFile (in: hFile=0x1d4, lpBuffer=0x3cc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x33bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3cc0020*, lpNumberOfBytesRead=0x33bfed4*=0x0, lpOverlapped=0x0) returned 1 [0067.384] WriteFile (in: hFile=0x1ac, lpBuffer=0x3cc0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x33bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cc0020*, lpNumberOfBytesWritten=0x33bfc9c*=0xec, lpOverlapped=0x0) returned 1 [0067.384] SetEndOfFile (hFile=0x1ac) returned 1 [0067.384] CloseHandle (hObject=0x1ac) returned 1 [0067.384] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec8 | out: lpNewFilePointer=0x0) returned 1 [0067.385] SetEndOfFile (hFile=0x1d4) returned 1 [0067.387] CloseHandle (hObject=0x1d4) returned 1 [0067.387] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0067.388] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll")) returned 1 [0067.388] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0067.388] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0067.388] lstrlenW (lpString=".doc") returned 4 [0067.388] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0067.388] lstrlenW (lpString=".docx") returned 5 [0067.388] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0067.388] lstrlenW (lpString=".pdf") returned 4 [0067.388] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0067.388] lstrlenW (lpString=".xls") returned 4 [0067.388] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0067.388] lstrlenW (lpString=".xlsx") returned 5 [0067.389] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0067.389] lstrlenW (lpString=".ppt") returned 4 [0067.389] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0067.389] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0067.389] lstrlenW (lpString=".zip") returned 4 [0067.389] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0067.389] lstrlenW (lpString=".rar") returned 4 [0067.389] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0067.389] lstrlenW (lpString=".bz2") returned 4 [0067.389] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0067.389] lstrlenW (lpString=".7z") returned 3 [0067.389] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0067.389] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0067.389] lstrlenW (lpString=".dbf") returned 4 [0067.389] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0067.389] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0067.389] lstrlenW (lpString=".1cd") returned 4 [0067.389] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0067.389] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0067.389] lstrlenW (lpString=".jpg") returned 4 [0067.389] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0067.389] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0067.389] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0067.389] lstrlenW (lpString=".doc") returned 4 [0067.390] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0067.390] lstrlenW (lpString=".docx") returned 5 [0067.390] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0067.390] lstrlenW (lpString=".pdf") returned 4 [0067.390] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0067.390] lstrlenW (lpString=".xls") returned 4 [0067.390] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0067.390] lstrlenW (lpString=".xlsx") returned 5 [0067.390] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0067.390] lstrlenW (lpString=".ppt") returned 4 [0067.390] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0067.390] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0067.390] lstrlenW (lpString=".zip") returned 4 [0067.390] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0067.390] lstrlenW (lpString=".rar") returned 4 [0067.390] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0067.390] lstrlenW (lpString=".bz2") returned 4 [0067.390] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0067.390] lstrlenW (lpString=".7z") returned 3 [0067.390] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0067.390] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0067.390] lstrlenW (lpString=".dbf") returned 4 [0067.390] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0067.390] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0067.390] lstrlenW (lpString=".1cd") returned 4 [0067.390] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0067.391] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0067.391] lstrlenW (lpString=".jpg") returned 4 [0067.391] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0067.391] lstrcmpiW (lpString1=".msi", lpString2=".bmd") returned 1 [0067.391] lstrlenW (lpString="OfficeMUISet.msi") returned 16 [0067.391] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0067.391] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x33bff1c | out: lpFileSize=0x33bff1c*=868864) returned 1 [0067.391] CloseHandle (hObject=0x1d4) returned 1 [0067.391] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi")) returned 0x2020 [0067.392] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0067.392] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0067.392] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec8 | out: lpNewFilePointer=0x0) returned 1 [0067.392] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec8 | out: lpNewFilePointer=0x0) returned 1 [0067.392] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0067.392] GetLastError () returned 0x0 [0067.392] ReadFile (in: hFile=0x1d4, lpBuffer=0x3cc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x33bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3cc0020*, lpNumberOfBytesRead=0x33bfed4*=0xd4200, lpOverlapped=0x0) returned 1 [0067.646] WriteFile (in: hFile=0x1ac, lpBuffer=0x3cc0020*, nNumberOfBytesToWrite=0xd4210, lpNumberOfBytesWritten=0x33bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cc0020*, lpNumberOfBytesWritten=0x33bfc9c*=0xd4210, lpOverlapped=0x0) returned 1 [0067.815] ReadFile (in: hFile=0x1d4, lpBuffer=0x3cc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x33bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3cc0020*, lpNumberOfBytesRead=0x33bfed4*=0x0, lpOverlapped=0x0) returned 1 [0067.815] WriteFile (in: hFile=0x1ac, lpBuffer=0x3cc0020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x33bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cc0020*, lpNumberOfBytesWritten=0x33bfc9c*=0xf4, lpOverlapped=0x0) returned 1 [0067.816] SetEndOfFile (hFile=0x1ac) returned 1 [0067.816] CloseHandle (hObject=0x1ac) returned 1 [0067.816] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec8 | out: lpNewFilePointer=0x0) returned 1 [0067.816] SetEndOfFile (hFile=0x1d4) returned 1 [0067.826] CloseHandle (hObject=0x1d4) returned 1 [0067.827] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0067.827] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi")) returned 1 [0067.827] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0067.827] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0067.827] lstrlenW (lpString=".doc") returned 4 [0067.827] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0067.828] lstrlenW (lpString=".docx") returned 5 [0067.828] lstrcmpiW (lpString1=".docx", lpString2="t.msi") returned -1 [0067.828] lstrlenW (lpString=".pdf") returned 4 [0067.828] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0067.828] lstrlenW (lpString=".xls") returned 4 [0067.828] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0067.828] lstrlenW (lpString=".xlsx") returned 5 [0067.828] lstrcmpiW (lpString1=".xlsx", lpString2="t.msi") returned -1 [0067.828] lstrlenW (lpString=".ppt") returned 4 [0067.828] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0067.828] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0067.828] lstrlenW (lpString=".zip") returned 4 [0067.828] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0067.828] lstrlenW (lpString=".rar") returned 4 [0067.828] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0067.828] lstrlenW (lpString=".bz2") returned 4 [0067.828] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0067.828] lstrlenW (lpString=".7z") returned 3 [0067.828] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0067.829] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0067.829] lstrlenW (lpString=".dbf") returned 4 [0067.829] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0067.829] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0067.829] lstrlenW (lpString=".1cd") returned 4 [0067.829] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0067.829] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0067.829] lstrlenW (lpString=".jpg") returned 4 [0067.829] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0067.829] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0067.829] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0067.829] lstrlenW (lpString=".doc") returned 4 [0067.829] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0067.829] lstrlenW (lpString=".docx") returned 5 [0067.829] lstrcmpiW (lpString1=".docx", lpString2="t.msi") returned -1 [0067.829] lstrlenW (lpString=".pdf") returned 4 [0067.829] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0067.829] lstrlenW (lpString=".xls") returned 4 [0067.829] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0067.829] lstrlenW (lpString=".xlsx") returned 5 [0067.829] lstrcmpiW (lpString1=".xlsx", lpString2="t.msi") returned -1 [0067.829] lstrlenW (lpString=".ppt") returned 4 [0067.829] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0067.829] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0067.829] lstrlenW (lpString=".zip") returned 4 [0067.830] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0067.830] lstrlenW (lpString=".rar") returned 4 [0067.830] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0067.830] lstrlenW (lpString=".bz2") returned 4 [0067.830] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0067.830] lstrlenW (lpString=".7z") returned 3 [0067.830] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0067.830] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0067.830] lstrlenW (lpString=".dbf") returned 4 [0067.830] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0067.830] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0067.830] lstrlenW (lpString=".1cd") returned 4 [0067.830] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0067.830] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0067.830] lstrlenW (lpString=".jpg") returned 4 [0067.830] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0067.830] lstrcmpiW (lpString1=".msi", lpString2=".bmd") returned 1 [0067.830] lstrlenW (lpString="AccessMUISet.msi") returned 16 [0067.830] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0067.831] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x33bff1c | out: lpFileSize=0x33bff1c*=868864) returned 1 [0067.831] CloseHandle (hObject=0x1d4) returned 1 [0067.831] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi")) returned 0x2020 [0067.831] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0067.831] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0067.831] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec8 | out: lpNewFilePointer=0x0) returned 1 [0067.832] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec8 | out: lpNewFilePointer=0x0) returned 1 [0067.832] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0067.832] GetLastError () returned 0x0 [0067.832] ReadFile (in: hFile=0x1d4, lpBuffer=0x3cc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x33bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3cc0020*, lpNumberOfBytesRead=0x33bfed4*=0xd4200, lpOverlapped=0x0) returned 1 [0067.931] WriteFile (in: hFile=0x1ac, lpBuffer=0x3cc0020*, nNumberOfBytesToWrite=0xd4210, lpNumberOfBytesWritten=0x33bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cc0020*, lpNumberOfBytesWritten=0x33bfc9c*=0xd4210, lpOverlapped=0x0) returned 1 [0068.973] ReadFile (in: hFile=0x1d4, lpBuffer=0x3cc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x33bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3cc0020*, lpNumberOfBytesRead=0x33bfed4*=0x0, lpOverlapped=0x0) returned 1 [0068.973] WriteFile (in: hFile=0x1ac, lpBuffer=0x3cc0020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x33bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cc0020*, lpNumberOfBytesWritten=0x33bfc9c*=0xf4, lpOverlapped=0x0) returned 1 [0068.973] SetEndOfFile (hFile=0x1ac) returned 1 [0068.974] CloseHandle (hObject=0x1ac) returned 1 [0068.974] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec8 | out: lpNewFilePointer=0x0) returned 1 [0068.974] SetEndOfFile (hFile=0x1d4) returned 1 [0068.982] CloseHandle (hObject=0x1d4) returned 1 [0068.983] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0068.983] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi")) returned 1 [0068.983] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0068.983] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0068.983] lstrlenW (lpString=".doc") returned 4 [0068.983] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0068.983] lstrlenW (lpString=".docx") returned 5 [0068.983] lstrcmpiW (lpString1=".docx", lpString2="t.msi") returned -1 [0068.984] lstrlenW (lpString=".pdf") returned 4 [0068.984] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0068.984] lstrlenW (lpString=".xls") returned 4 [0068.984] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0068.984] lstrlenW (lpString=".xlsx") returned 5 [0068.984] lstrcmpiW (lpString1=".xlsx", lpString2="t.msi") returned -1 [0068.984] lstrlenW (lpString=".ppt") returned 4 [0068.984] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0068.984] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0068.984] lstrlenW (lpString=".zip") returned 4 [0068.984] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0068.984] lstrlenW (lpString=".rar") returned 4 [0068.984] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0068.984] lstrlenW (lpString=".bz2") returned 4 [0068.984] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0068.984] lstrlenW (lpString=".7z") returned 3 [0068.984] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0068.984] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0068.984] lstrlenW (lpString=".dbf") returned 4 [0068.984] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0068.984] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0068.984] lstrlenW (lpString=".1cd") returned 4 [0068.984] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0068.984] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0068.984] lstrlenW (lpString=".jpg") returned 4 [0068.984] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0068.985] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0068.985] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0068.985] lstrlenW (lpString=".doc") returned 4 [0068.985] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0068.985] lstrlenW (lpString=".docx") returned 5 [0068.985] lstrcmpiW (lpString1=".docx", lpString2="t.msi") returned -1 [0068.985] lstrlenW (lpString=".pdf") returned 4 [0068.985] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0068.985] lstrlenW (lpString=".xls") returned 4 [0068.985] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0068.985] lstrlenW (lpString=".xlsx") returned 5 [0068.985] lstrcmpiW (lpString1=".xlsx", lpString2="t.msi") returned -1 [0068.985] lstrlenW (lpString=".ppt") returned 4 [0068.985] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0068.985] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0068.985] lstrlenW (lpString=".zip") returned 4 [0068.985] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0068.985] lstrlenW (lpString=".rar") returned 4 [0068.985] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0068.985] lstrlenW (lpString=".bz2") returned 4 [0068.985] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0068.985] lstrlenW (lpString=".7z") returned 3 [0068.986] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0068.986] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0068.986] lstrlenW (lpString=".dbf") returned 4 [0068.986] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0068.986] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0068.986] lstrlenW (lpString=".1cd") returned 4 [0068.986] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0068.986] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0068.986] lstrlenW (lpString=".jpg") returned 4 [0068.986] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0068.986] lstrcmpiW (lpString1=".dll", lpString2=".bmd") returned 1 [0068.986] lstrlenW (lpString="osetup.dll") returned 10 [0068.986] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0068.987] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x33bff1c | out: lpFileSize=0x33bff1c*=7378792) returned 1 [0068.987] CloseHandle (hObject=0x1d4) returned 1 [0068.987] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll")) returned 0x2020 [0068.987] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0068.987] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 1 [0068.988] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0068.988] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc6c | out: lpNewFilePointer=0x0) returned 1 [0068.988] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc2c | out: lpNewFilePointer=0x0) returned 1 [0068.988] ReadFile (in: hFile=0x1d4, lpBuffer=0x3cc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x33bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3cc0058*, lpNumberOfBytesRead=0x33bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0068.991] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x2587cd, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc2c | out: lpNewFilePointer=0x0) returned 1 [0068.992] ReadFile (in: hFile=0x1d4, lpBuffer=0x3d00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x33bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3d00058*, lpNumberOfBytesRead=0x33bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0068.997] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x33bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0068.997] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x6c9768, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc2c | out: lpNewFilePointer=0x0) returned 1 [0068.997] ReadFile (in: hFile=0x1d4, lpBuffer=0x3d40058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x33bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3d40058*, lpNumberOfBytesRead=0x33bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0069.368] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec8 | out: lpNewFilePointer=0x0) returned 1 [0069.368] WriteFile (in: hFile=0x1d4, lpBuffer=0x3cc0020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x33bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3cc0020*, lpNumberOfBytesWritten=0x33bfcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0069.859] SetEndOfFile (hFile=0x1d4) returned 1 [0069.859] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x4092090 [0069.859] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc7c | out: lpNewFilePointer=0x0) returned 1 [0069.859] WriteFile (in: hFile=0x1d4, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x33bfc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x33bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0069.862] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x2587cd, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc7c | out: lpNewFilePointer=0x0) returned 1 [0069.862] WriteFile (in: hFile=0x1d4, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x33bfc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x33bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0069.865] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x6c9768, lpNewFilePointer=0x0, dwMoveMethod=0x33bfc7c | out: lpNewFilePointer=0x0) returned 1 [0069.865] WriteFile (in: hFile=0x1d4, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x33bfc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x33bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0069.866] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x4092090 | out: hHeap=0x5f0000) returned 1 [0069.866] CloseHandle (hObject=0x1d4) returned 1 [0069.867] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0069.867] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0069.867] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0069.867] lstrlenW (lpString=".doc") returned 4 [0069.867] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0069.867] lstrlenW (lpString=".docx") returned 5 [0069.867] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0069.867] lstrlenW (lpString=".pdf") returned 4 [0069.867] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0069.867] lstrlenW (lpString=".xls") returned 4 [0069.867] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0069.867] lstrlenW (lpString=".xlsx") returned 5 [0069.867] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0069.867] lstrlenW (lpString=".ppt") returned 4 [0069.867] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0069.867] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0069.867] lstrlenW (lpString=".zip") returned 4 [0069.867] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0069.867] lstrlenW (lpString=".rar") returned 4 [0069.868] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0069.868] lstrlenW (lpString=".bz2") returned 4 [0069.868] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0069.868] lstrlenW (lpString=".7z") returned 3 [0069.868] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0069.868] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0069.868] lstrlenW (lpString=".dbf") returned 4 [0069.868] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0069.868] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0069.868] lstrlenW (lpString=".1cd") returned 4 [0069.868] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0069.868] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0069.868] lstrlenW (lpString=".jpg") returned 4 [0069.868] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0069.868] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0069.868] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0069.868] lstrlenW (lpString=".doc") returned 4 [0069.868] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0069.868] lstrlenW (lpString=".docx") returned 5 [0069.868] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0069.868] lstrlenW (lpString=".pdf") returned 4 [0069.868] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0069.868] lstrlenW (lpString=".xls") returned 4 [0069.868] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0069.868] lstrlenW (lpString=".xlsx") returned 5 [0069.868] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0069.868] lstrlenW (lpString=".ppt") returned 4 [0069.868] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0069.868] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0069.868] lstrlenW (lpString=".zip") returned 4 [0069.869] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0069.869] lstrlenW (lpString=".rar") returned 4 [0069.869] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0069.869] lstrlenW (lpString=".bz2") returned 4 [0069.869] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0069.869] lstrlenW (lpString=".7z") returned 3 [0069.869] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0069.869] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0069.869] lstrlenW (lpString=".dbf") returned 4 [0069.869] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0069.869] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0069.869] lstrlenW (lpString=".1cd") returned 4 [0069.869] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0069.869] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0069.869] lstrlenW (lpString=".jpg") returned 4 [0069.869] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0069.869] lstrcmpiW (lpString1=".cab", lpString2=".bmd") returned 1 [0069.869] lstrlenW (lpString="ProPrWW2.cab") returned 12 [0069.869] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 19 os_tid = 0x248 [0048.378] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10000) returned 0x3900098 [0048.378] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10000) returned 0x39100a0 [0048.379] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x646b20 [0048.379] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x6) returned 0x646f80 [0048.379] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x646b38 [0048.379] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x100000) returned 0x3dd0020 [0048.379] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x646b50 [0048.379] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x646b50, Size=0x20) returned 0x63c7a8 [0048.379] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x646b50 [0048.379] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x646b50, Size=0x20) returned 0x63c758 [0048.379] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0048.379] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0048.380] Wow64DisableWow64FsRedirection (in: OldValue=0x360ff58 | out: OldValue=0x360ff58*=0x0) returned 1 [0048.380] lstrlenW (lpString="kernel32.dll") returned 12 [0048.380] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63c7a8 | out: hHeap=0x5f0000) returned 1 [0048.380] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0048.380] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63c758 | out: hHeap=0x5f0000) returned 1 [0048.380] Sleep (dwMilliseconds=0x64) [0048.596] lstrcmpiW (lpString1=".ttf", lpString2=".bmd") returned 1 [0048.596] lstrlenW (lpString="kor_boot.ttf") returned 12 [0048.596] CreateFileW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0048.839] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x360ff1c | out: lpFileSize=0x360ff1c*=2371360) returned 1 [0048.839] CloseHandle (hObject=0x19c) returned 1 [0048.840] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf")) returned 0x20 [0048.840] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\boot\\fonts\\kor_boot.ttf.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0048.840] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\kor_boot.ttf.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\boot\\fonts\\kor_boot.ttf.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0 [0048.840] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0048.840] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0048.840] lstrlenW (lpString=".doc") returned 4 [0048.840] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0048.840] lstrlenW (lpString=".docx") returned 5 [0048.840] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0048.840] lstrlenW (lpString=".pdf") returned 4 [0048.840] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0048.840] lstrlenW (lpString=".xls") returned 4 [0048.840] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0048.840] lstrlenW (lpString=".xlsx") returned 5 [0048.840] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0048.840] lstrlenW (lpString=".ppt") returned 4 [0048.840] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0048.840] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0048.840] lstrlenW (lpString=".zip") returned 4 [0048.840] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0048.840] lstrlenW (lpString=".rar") returned 4 [0048.840] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0048.840] lstrlenW (lpString=".bz2") returned 4 [0048.840] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0048.840] lstrlenW (lpString=".7z") returned 3 [0048.841] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0048.841] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0048.841] lstrlenW (lpString=".dbf") returned 4 [0048.841] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0048.841] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0048.841] lstrlenW (lpString=".1cd") returned 4 [0048.841] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0048.841] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0048.841] lstrlenW (lpString=".jpg") returned 4 [0048.841] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0048.841] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0048.841] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0048.841] lstrlenW (lpString=".doc") returned 4 [0048.841] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0048.841] lstrlenW (lpString=".docx") returned 5 [0048.841] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0048.841] lstrlenW (lpString=".pdf") returned 4 [0048.841] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0048.841] lstrlenW (lpString=".xls") returned 4 [0048.841] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0048.841] lstrlenW (lpString=".xlsx") returned 5 [0048.841] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0048.841] lstrlenW (lpString=".ppt") returned 4 [0048.841] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0048.841] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0048.841] lstrlenW (lpString=".zip") returned 4 [0048.841] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0048.841] lstrlenW (lpString=".rar") returned 4 [0048.841] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0048.841] lstrlenW (lpString=".bz2") returned 4 [0048.841] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0048.842] lstrlenW (lpString=".7z") returned 3 [0048.842] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0048.842] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0048.842] lstrlenW (lpString=".dbf") returned 4 [0048.842] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0048.842] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0048.842] lstrlenW (lpString=".1cd") returned 4 [0048.842] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0048.842] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0048.842] lstrlenW (lpString=".jpg") returned 4 [0048.842] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0048.842] lstrcmpiW (lpString1=".mui", lpString2=".bmd") returned 1 [0048.842] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0048.842] CreateFileW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0048.842] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x360ff1c | out: lpFileSize=0x360ff1c*=93248) returned 1 [0048.842] CloseHandle (hObject=0x19c) returned 1 [0048.842] GetFileAttributesW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui")) returned 0x20 [0048.843] GetFileAttributesW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0048.843] CreateFileW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0048.843] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0048.843] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0048.843] lstrlenW (lpString=".doc") returned 4 [0048.843] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0048.843] lstrlenW (lpString=".docx") returned 5 [0048.843] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0048.843] lstrlenW (lpString=".pdf") returned 4 [0048.843] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0048.843] lstrlenW (lpString=".xls") returned 4 [0048.843] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0048.843] lstrlenW (lpString=".xlsx") returned 5 [0048.843] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0048.843] lstrlenW (lpString=".ppt") returned 4 [0048.843] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0048.843] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0048.843] lstrlenW (lpString=".zip") returned 4 [0048.843] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0048.843] lstrlenW (lpString=".rar") returned 4 [0048.843] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0048.843] lstrlenW (lpString=".bz2") returned 4 [0048.843] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0048.843] lstrlenW (lpString=".7z") returned 3 [0048.843] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0048.843] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0048.843] lstrlenW (lpString=".dbf") returned 4 [0048.843] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0048.843] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0048.843] lstrlenW (lpString=".1cd") returned 4 [0048.844] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0048.844] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0048.844] lstrlenW (lpString=".jpg") returned 4 [0048.844] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0048.844] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0048.844] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0048.844] lstrlenW (lpString=".doc") returned 4 [0048.844] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0048.844] lstrlenW (lpString=".docx") returned 5 [0048.844] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0048.844] lstrlenW (lpString=".pdf") returned 4 [0048.844] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0048.844] lstrlenW (lpString=".xls") returned 4 [0048.844] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0048.844] lstrlenW (lpString=".xlsx") returned 5 [0048.844] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0048.844] lstrlenW (lpString=".ppt") returned 4 [0048.844] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0048.844] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0048.844] lstrlenW (lpString=".zip") returned 4 [0048.844] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0048.844] lstrlenW (lpString=".rar") returned 4 [0048.844] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0048.844] lstrlenW (lpString=".bz2") returned 4 [0048.844] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0048.844] lstrlenW (lpString=".7z") returned 3 [0048.844] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0048.844] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0048.844] lstrlenW (lpString=".dbf") returned 4 [0048.844] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0048.844] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0048.845] lstrlenW (lpString=".1cd") returned 4 [0048.845] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0048.845] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0048.845] lstrlenW (lpString=".jpg") returned 4 [0048.845] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0048.845] lstrcmpiW (lpString1=".mui", lpString2=".bmd") returned 1 [0048.845] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0048.845] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0048.845] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x360ff1c | out: lpFileSize=0x360ff1c*=90688) returned 1 [0048.845] CloseHandle (hObject=0x19c) returned 1 [0048.845] GetFileAttributesW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui")) returned 0x20 [0048.845] GetFileAttributesW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0048.845] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0048.845] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0048.845] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0048.845] lstrlenW (lpString=".doc") returned 4 [0048.846] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0048.846] lstrlenW (lpString=".docx") returned 5 [0048.846] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0048.846] lstrlenW (lpString=".pdf") returned 4 [0048.846] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0048.846] lstrlenW (lpString=".xls") returned 4 [0048.846] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0048.846] lstrlenW (lpString=".xlsx") returned 5 [0048.846] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0048.846] lstrlenW (lpString=".ppt") returned 4 [0048.846] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0048.846] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0048.846] lstrlenW (lpString=".zip") returned 4 [0048.846] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0048.846] lstrlenW (lpString=".rar") returned 4 [0048.846] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0048.846] lstrlenW (lpString=".bz2") returned 4 [0048.846] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0048.846] lstrlenW (lpString=".7z") returned 3 [0048.846] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0048.846] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0048.846] lstrlenW (lpString=".dbf") returned 4 [0048.846] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0048.846] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0048.846] lstrlenW (lpString=".1cd") returned 4 [0048.846] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0048.846] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0048.846] lstrlenW (lpString=".jpg") returned 4 [0048.846] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0048.847] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0048.847] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0048.847] lstrlenW (lpString=".doc") returned 4 [0048.847] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0048.847] lstrlenW (lpString=".docx") returned 5 [0048.847] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0048.847] lstrlenW (lpString=".pdf") returned 4 [0048.847] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0048.847] lstrlenW (lpString=".xls") returned 4 [0048.847] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0048.847] lstrlenW (lpString=".xlsx") returned 5 [0048.847] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0048.847] lstrlenW (lpString=".ppt") returned 4 [0048.847] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0048.847] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0048.847] lstrlenW (lpString=".zip") returned 4 [0048.847] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0048.847] lstrlenW (lpString=".rar") returned 4 [0048.847] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0048.847] lstrlenW (lpString=".bz2") returned 4 [0048.847] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0048.847] lstrlenW (lpString=".7z") returned 3 [0048.847] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0048.847] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0048.847] lstrlenW (lpString=".dbf") returned 4 [0048.847] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0048.847] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0048.847] lstrlenW (lpString=".1cd") returned 4 [0048.847] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0048.847] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0048.847] lstrlenW (lpString=".jpg") returned 4 [0048.848] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0048.848] lstrcmpiW (lpString1=".mui", lpString2=".bmd") returned 1 [0048.848] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0048.848] CreateFileW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0048.848] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x360ff1c | out: lpFileSize=0x360ff1c*=90704) returned 1 [0048.848] CloseHandle (hObject=0x19c) returned 1 [0048.848] GetFileAttributesW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui")) returned 0x20 [0048.848] GetFileAttributesW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0048.848] CreateFileW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0048.848] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0048.848] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0048.848] lstrlenW (lpString=".doc") returned 4 [0048.848] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0048.848] lstrlenW (lpString=".docx") returned 5 [0048.848] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0048.849] lstrlenW (lpString=".pdf") returned 4 [0048.849] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0048.849] lstrlenW (lpString=".xls") returned 4 [0048.849] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0048.849] lstrlenW (lpString=".xlsx") returned 5 [0048.849] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0048.849] lstrlenW (lpString=".ppt") returned 4 [0048.849] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0048.849] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0048.849] lstrlenW (lpString=".zip") returned 4 [0048.849] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0048.849] lstrlenW (lpString=".rar") returned 4 [0048.849] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0048.849] lstrlenW (lpString=".bz2") returned 4 [0048.849] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0048.849] lstrlenW (lpString=".7z") returned 3 [0048.849] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0048.849] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0048.849] lstrlenW (lpString=".dbf") returned 4 [0048.849] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0048.849] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0048.849] lstrlenW (lpString=".1cd") returned 4 [0048.849] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0048.849] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0048.849] lstrlenW (lpString=".jpg") returned 4 [0048.849] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0048.849] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0048.849] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0048.849] lstrlenW (lpString=".doc") returned 4 [0048.849] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0048.850] lstrlenW (lpString=".docx") returned 5 [0048.850] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0048.850] lstrlenW (lpString=".pdf") returned 4 [0048.850] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0048.850] lstrlenW (lpString=".xls") returned 4 [0048.850] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0048.850] lstrlenW (lpString=".xlsx") returned 5 [0048.850] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0048.850] lstrlenW (lpString=".ppt") returned 4 [0048.850] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0048.850] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0048.850] lstrlenW (lpString=".zip") returned 4 [0048.850] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0048.850] lstrlenW (lpString=".rar") returned 4 [0048.850] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0048.850] lstrlenW (lpString=".bz2") returned 4 [0048.850] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0048.850] lstrlenW (lpString=".7z") returned 3 [0048.850] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0048.850] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0048.850] lstrlenW (lpString=".dbf") returned 4 [0048.850] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0048.850] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0048.850] lstrlenW (lpString=".1cd") returned 4 [0048.850] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0048.850] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0048.850] lstrlenW (lpString=".jpg") returned 4 [0048.850] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0048.851] lstrcmpiW (lpString1=".mui", lpString2=".bmd") returned 1 [0048.851] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0048.851] CreateFileW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0048.851] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x360ff1c | out: lpFileSize=0x360ff1c*=76352) returned 1 [0048.851] CloseHandle (hObject=0x19c) returned 1 [0048.851] GetFileAttributesW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui")) returned 0x20 [0048.851] GetFileAttributesW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0048.851] CreateFileW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0048.851] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0048.851] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0048.851] lstrlenW (lpString=".doc") returned 4 [0048.851] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0048.851] lstrlenW (lpString=".docx") returned 5 [0048.851] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0048.851] lstrlenW (lpString=".pdf") returned 4 [0048.851] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0048.851] lstrlenW (lpString=".xls") returned 4 [0048.851] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0048.851] lstrlenW (lpString=".xlsx") returned 5 [0048.852] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0048.852] lstrlenW (lpString=".ppt") returned 4 [0048.852] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0048.852] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0048.852] lstrlenW (lpString=".zip") returned 4 [0048.852] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0048.852] lstrlenW (lpString=".rar") returned 4 [0048.852] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0048.852] lstrlenW (lpString=".bz2") returned 4 [0048.852] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0048.852] lstrlenW (lpString=".7z") returned 3 [0048.852] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0048.852] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0048.852] lstrlenW (lpString=".dbf") returned 4 [0048.852] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0048.852] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0048.852] lstrlenW (lpString=".1cd") returned 4 [0048.852] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0048.852] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0048.852] lstrlenW (lpString=".jpg") returned 4 [0048.852] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0048.852] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0048.852] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0048.852] lstrlenW (lpString=".doc") returned 4 [0048.852] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0048.852] lstrlenW (lpString=".docx") returned 5 [0048.852] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0048.852] lstrlenW (lpString=".pdf") returned 4 [0048.852] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0048.852] lstrlenW (lpString=".xls") returned 4 [0048.852] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0048.853] lstrlenW (lpString=".xlsx") returned 5 [0048.853] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0048.853] lstrlenW (lpString=".ppt") returned 4 [0048.853] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0048.853] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0048.853] lstrlenW (lpString=".zip") returned 4 [0048.853] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0048.853] lstrlenW (lpString=".rar") returned 4 [0048.853] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0048.853] lstrlenW (lpString=".bz2") returned 4 [0048.853] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0048.853] lstrlenW (lpString=".7z") returned 3 [0048.853] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0048.853] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0048.853] lstrlenW (lpString=".dbf") returned 4 [0048.853] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0048.853] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0048.853] lstrlenW (lpString=".1cd") returned 4 [0048.853] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0048.853] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0048.853] lstrlenW (lpString=".jpg") returned 4 [0048.853] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0048.854] lstrcmpiW (lpString1=".mui", lpString2=".bmd") returned 1 [0048.854] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0048.854] CreateFileW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0048.854] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x360ff1c | out: lpFileSize=0x360ff1c*=75344) returned 1 [0048.854] CloseHandle (hObject=0x19c) returned 1 [0048.854] GetFileAttributesW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui")) returned 0x20 [0048.854] GetFileAttributesW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0048.854] CreateFileW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0048.854] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0048.854] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0048.854] lstrlenW (lpString=".doc") returned 4 [0048.854] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0048.854] lstrlenW (lpString=".docx") returned 5 [0048.854] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0048.854] lstrlenW (lpString=".pdf") returned 4 [0048.854] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0048.854] lstrlenW (lpString=".xls") returned 4 [0048.854] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0048.854] lstrlenW (lpString=".xlsx") returned 5 [0048.855] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0048.855] lstrlenW (lpString=".ppt") returned 4 [0048.855] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0048.855] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0048.855] lstrlenW (lpString=".zip") returned 4 [0048.855] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0048.855] lstrlenW (lpString=".rar") returned 4 [0048.855] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0048.855] lstrlenW (lpString=".bz2") returned 4 [0048.855] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0048.855] lstrlenW (lpString=".7z") returned 3 [0048.855] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0048.855] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0048.855] lstrlenW (lpString=".dbf") returned 4 [0048.855] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0048.855] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0048.855] lstrlenW (lpString=".1cd") returned 4 [0048.855] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0048.855] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0048.855] lstrlenW (lpString=".jpg") returned 4 [0048.855] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0048.855] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0048.855] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0048.855] lstrlenW (lpString=".doc") returned 4 [0048.855] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0048.855] lstrlenW (lpString=".docx") returned 5 [0048.855] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0048.855] lstrlenW (lpString=".pdf") returned 4 [0048.855] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0048.855] lstrlenW (lpString=".xls") returned 4 [0048.856] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0048.856] lstrlenW (lpString=".xlsx") returned 5 [0048.856] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0048.856] lstrlenW (lpString=".ppt") returned 4 [0048.856] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0048.856] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0048.856] lstrlenW (lpString=".zip") returned 4 [0048.856] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0048.856] lstrlenW (lpString=".rar") returned 4 [0048.856] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0048.856] lstrlenW (lpString=".bz2") returned 4 [0048.856] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0048.856] lstrlenW (lpString=".7z") returned 3 [0048.856] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0048.856] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0048.856] lstrlenW (lpString=".dbf") returned 4 [0048.856] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0048.856] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0048.856] lstrlenW (lpString=".1cd") returned 4 [0048.856] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0048.856] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0048.856] lstrlenW (lpString=".jpg") returned 4 [0048.856] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0048.856] lstrcmpiW (lpString1=".exe", lpString2=".bmd") returned 1 [0048.856] lstrlenW (lpString="memtest.exe") returned 11 [0048.856] CreateFileW (lpFileName="C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0048.857] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x360ff1c | out: lpFileSize=0x360ff1c*=485760) returned 1 [0048.857] CloseHandle (hObject=0x19c) returned 1 [0048.857] GetFileAttributesW (lpFileName="C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe")) returned 0x20 [0048.857] GetFileAttributesW (lpFileName="C:\\Boot\\memtest.exe.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\boot\\memtest.exe.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0048.857] CreateFileW (lpFileName="C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0048.857] lstrlenW (lpString="C:\\Boot\\memtest.exe") returned 19 [0048.857] lstrlenW (lpString="C:\\Boot\\memtest.exe") returned 19 [0048.857] lstrlenW (lpString=".doc") returned 4 [0048.857] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0048.857] lstrlenW (lpString=".docx") returned 5 [0048.857] lstrcmpiW (lpString1=".docx", lpString2="t.exe") returned -1 [0048.857] lstrlenW (lpString=".pdf") returned 4 [0048.857] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0048.857] lstrlenW (lpString=".xls") returned 4 [0048.857] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0048.857] lstrlenW (lpString=".xlsx") returned 5 [0048.857] lstrcmpiW (lpString1=".xlsx", lpString2="t.exe") returned -1 [0048.857] lstrlenW (lpString=".ppt") returned 4 [0048.858] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0048.858] lstrlenW (lpString="C:\\Boot\\memtest.exe") returned 19 [0048.858] lstrlenW (lpString=".zip") returned 4 [0048.858] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0048.858] lstrlenW (lpString=".rar") returned 4 [0048.858] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0048.858] lstrlenW (lpString=".bz2") returned 4 [0048.858] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0048.858] lstrlenW (lpString=".7z") returned 3 [0048.858] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0048.858] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0048.858] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0048.858] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0048.858] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0048.858] lstrcmpiW (lpString1=".docx", lpString2="t.exe") returned -1 [0048.858] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0048.858] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0048.858] lstrcmpiW (lpString1=".xlsx", lpString2="t.exe") returned -1 [0048.858] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0048.858] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0048.858] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0048.858] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0048.859] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0048.859] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0048.859] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0048.859] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0048.859] lstrcmpiW (lpString1=".mui", lpString2=".bmd") returned 1 [0048.859] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x360ff1c | out: lpFileSize=0x360ff1c*=88144) returned 1 [0048.859] CloseHandle (hObject=0x19c) returned 1 [0048.860] GetFileAttributesW (lpFileName="C:\\Boot\\nb-NO\\bootmgr.exe.mui" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui")) returned 0x20 [0048.860] GetFileAttributesW (lpFileName="C:\\Boot\\nb-NO\\bootmgr.exe.mui.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0048.860] CreateFileW (lpFileName="C:\\Boot\\nb-NO\\bootmgr.exe.mui" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0048.860] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0048.860] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0048.860] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0048.860] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0048.860] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0048.860] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0048.860] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0048.860] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0048.860] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0048.860] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0048.860] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0048.860] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0048.860] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0048.860] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0048.861] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0048.861] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0048.861] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0048.861] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0048.861] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0048.861] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0048.861] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0048.861] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0048.861] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0048.861] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0048.861] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0048.861] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0048.861] lstrcmpiW (lpString1=".mui", lpString2=".bmd") returned 1 [0048.861] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x360ff1c | out: lpFileSize=0x360ff1c*=90704) returned 1 [0048.861] CloseHandle (hObject=0x19c) returned 1 [0048.862] GetFileAttributesW (lpFileName="C:\\Boot\\nl-NL\\bootmgr.exe.mui" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui")) returned 0x20 [0048.862] GetFileAttributesW (lpFileName="C:\\Boot\\nl-NL\\bootmgr.exe.mui.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0048.862] CreateFileW (lpFileName="C:\\Boot\\nl-NL\\bootmgr.exe.mui" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0048.862] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0048.862] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0048.862] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0048.862] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0048.862] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0048.862] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0048.862] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0048.862] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0048.862] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0048.862] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0048.862] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0048.862] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0048.862] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0048.862] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0048.863] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0048.863] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0048.863] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0048.863] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0048.863] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0048.863] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0048.863] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0048.863] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0048.863] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0048.863] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0048.863] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0048.863] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0048.863] lstrcmpiW (lpString1=".mui", lpString2=".bmd") returned 1 [0048.863] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x360ff1c | out: lpFileSize=0x360ff1c*=90704) returned 1 [0048.863] CloseHandle (hObject=0x19c) returned 1 [0048.864] GetFileAttributesW (lpFileName="C:\\Boot\\pl-PL\\bootmgr.exe.mui" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui")) returned 0x20 [0048.864] GetFileAttributesW (lpFileName="C:\\Boot\\pl-PL\\bootmgr.exe.mui.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0048.864] CreateFileW (lpFileName="C:\\Boot\\pl-PL\\bootmgr.exe.mui" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0048.864] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0048.864] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0048.864] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0048.864] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0048.864] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0048.864] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x360ff1c | out: lpFileSize=0x360ff1c*=90176) returned 1 [0048.864] CloseHandle (hObject=0x19c) returned 1 [0048.864] GetFileAttributesW (lpFileName="C:\\Boot\\pt-BR\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui")) returned 0x20 [0048.864] GetFileAttributesW (lpFileName="C:\\Boot\\pt-BR\\bootmgr.exe.mui.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0048.865] CreateFileW (lpFileName="C:\\Boot\\pt-BR\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0048.865] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x360ff1c | out: lpFileSize=0x360ff1c*=89664) returned 1 [0048.865] CloseHandle (hObject=0x19c) returned 1 [0048.865] GetFileAttributesW (lpFileName="C:\\Boot\\pt-PT\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui")) returned 0x20 [0048.865] GetFileAttributesW (lpFileName="C:\\Boot\\pt-PT\\bootmgr.exe.mui.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0048.865] CreateFileW (lpFileName="C:\\Boot\\pt-PT\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0048.865] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x360ff1c | out: lpFileSize=0x360ff1c*=90192) returned 1 [0048.865] CloseHandle (hObject=0x19c) returned 1 [0048.865] GetFileAttributesW (lpFileName="C:\\Boot\\ru-RU\\bootmgr.exe.mui" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui")) returned 0x20 [0048.866] GetFileAttributesW (lpFileName="C:\\Boot\\ru-RU\\bootmgr.exe.mui.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0048.866] CreateFileW (lpFileName="C:\\Boot\\ru-RU\\bootmgr.exe.mui" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0048.866] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x360ff1c | out: lpFileSize=0x360ff1c*=87616) returned 1 [0048.866] CloseHandle (hObject=0x19c) returned 1 [0048.866] GetFileAttributesW (lpFileName="C:\\Boot\\sv-SE\\bootmgr.exe.mui" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui")) returned 0x20 [0048.866] GetFileAttributesW (lpFileName="C:\\Boot\\sv-SE\\bootmgr.exe.mui.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0048.866] CreateFileW (lpFileName="C:\\Boot\\sv-SE\\bootmgr.exe.mui" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0048.866] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x360ff1c | out: lpFileSize=0x360ff1c*=87104) returned 1 [0048.866] CloseHandle (hObject=0x19c) returned 1 [0048.866] GetFileAttributesW (lpFileName="C:\\Boot\\tr-TR\\bootmgr.exe.mui" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui")) returned 0x20 [0048.867] GetFileAttributesW (lpFileName="C:\\Boot\\tr-TR\\bootmgr.exe.mui.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0048.867] CreateFileW (lpFileName="C:\\Boot\\tr-TR\\bootmgr.exe.mui" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0048.867] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x360ff1c | out: lpFileSize=0x360ff1c*=70720) returned 1 [0048.867] CloseHandle (hObject=0x19c) returned 1 [0048.867] GetFileAttributesW (lpFileName="C:\\Boot\\zh-CN\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui")) returned 0x20 [0048.867] GetFileAttributesW (lpFileName="C:\\Boot\\zh-CN\\bootmgr.exe.mui.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0048.867] CreateFileW (lpFileName="C:\\Boot\\zh-CN\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0048.867] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x360ff1c | out: lpFileSize=0x360ff1c*=70224) returned 1 [0048.867] CloseHandle (hObject=0x19c) returned 1 [0048.867] GetFileAttributesW (lpFileName="C:\\Boot\\zh-HK\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui")) returned 0x20 [0048.868] GetFileAttributesW (lpFileName="C:\\Boot\\zh-HK\\bootmgr.exe.mui.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0048.868] CreateFileW (lpFileName="C:\\Boot\\zh-HK\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0048.868] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x360ff1c | out: lpFileSize=0x360ff1c*=70208) returned 1 [0048.868] CloseHandle (hObject=0x19c) returned 1 [0048.868] GetFileAttributesW (lpFileName="C:\\Boot\\zh-TW\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui")) returned 0x20 [0048.868] GetFileAttributesW (lpFileName="C:\\Boot\\zh-TW\\bootmgr.exe.mui.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0048.868] CreateFileW (lpFileName="C:\\Boot\\zh-TW\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0048.869] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x360ff1c | out: lpFileSize=0x360ff1c*=383786) returned 1 [0048.869] CloseHandle (hObject=0x19c) returned 1 [0048.869] GetFileAttributesW (lpFileName="C:\\bootmgr" (normalized: "c:\\bootmgr")) returned 0x27 [0048.869] GetFileAttributesW (lpFileName="C:\\bootmgr.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\bootmgr.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0048.869] SetFileAttributesW (lpFileName="C:\\bootmgr", dwFileAttributes=0x26) returned 0 [0048.869] CreateFileW (lpFileName="C:\\bootmgr" (normalized: "c:\\bootmgr"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0048.869] lstrlenW (lpString="C:\\bootmgr") returned 10 [0048.869] lstrlenW (lpString="C:\\bootmgr") returned 10 [0048.869] lstrlenW (lpString=".doc") returned 4 [0048.870] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x360ff1c | out: lpFileSize=0x360ff1c*=16972987) returned 1 [0048.870] CloseHandle (hObject=0x19c) returned 1 [0048.870] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab")) returned 0x2020 [0048.870] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0048.870] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 1 [0048.871] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0048.871] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fc6c | out: lpNewFilePointer=0x0) returned 1 [0048.871] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.871] ReadFile (in: hFile=0x19c, lpBuffer=0x3dd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x360fc38, lpOverlapped=0x0 | out: lpBuffer=0x3dd0058*, lpNumberOfBytesRead=0x360fc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.149] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x56543e, lpNewFilePointer=0x0, dwMoveMethod=0x360fc2c | out: lpNewFilePointer=0x0) returned 1 [0051.149] ReadFile (in: hFile=0x19c, lpBuffer=0x3e10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x360fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e10058*, lpNumberOfBytesRead=0x360fc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.387] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x360fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0051.387] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0xfefcbb, lpNewFilePointer=0x0, dwMoveMethod=0x360fc2c | out: lpNewFilePointer=0x0) returned 1 [0051.387] ReadFile (in: hFile=0x19c, lpBuffer=0x3e50058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x360fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e50058*, lpNumberOfBytesRead=0x360fc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.492] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.492] WriteFile (in: hFile=0x19c, lpBuffer=0x3dd0020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x360fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3dd0020*, lpNumberOfBytesWritten=0x360fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0051.564] SetEndOfFile (hFile=0x19c) returned 1 [0051.564] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x4082088 [0051.567] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fc7c | out: lpNewFilePointer=0x0) returned 1 [0051.567] WriteFile (in: hFile=0x19c, lpBuffer=0x4082088*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x360fc88, lpOverlapped=0x0 | out: lpBuffer=0x4082088*, lpNumberOfBytesWritten=0x360fc88*=0x40000, lpOverlapped=0x0) returned 1 [0051.633] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x56543e, lpNewFilePointer=0x0, dwMoveMethod=0x360fc7c | out: lpNewFilePointer=0x0) returned 1 [0051.633] WriteFile (in: hFile=0x19c, lpBuffer=0x4082088*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x360fc88, lpOverlapped=0x0 | out: lpBuffer=0x4082088*, lpNumberOfBytesWritten=0x360fc88*=0x40000, lpOverlapped=0x0) returned 1 [0051.634] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0xfefcbb, lpNewFilePointer=0x0, dwMoveMethod=0x360fc7c | out: lpNewFilePointer=0x0) returned 1 [0051.634] WriteFile (in: hFile=0x19c, lpBuffer=0x4082088*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x360fc88, lpOverlapped=0x0 | out: lpBuffer=0x4082088*, lpNumberOfBytesWritten=0x360fc88*=0x40000, lpOverlapped=0x0) returned 1 [0051.635] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x4082088 | out: hHeap=0x5f0000) returned 1 [0051.636] CloseHandle (hObject=0x19c) returned 1 [0053.936] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0053.936] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0053.936] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0053.936] lstrlenW (lpString=".doc") returned 4 [0053.937] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0053.937] lstrlenW (lpString=".docx") returned 5 [0053.937] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0053.937] lstrlenW (lpString=".pdf") returned 4 [0053.937] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0053.937] lstrlenW (lpString=".xls") returned 4 [0053.937] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0053.937] lstrlenW (lpString=".xlsx") returned 5 [0053.937] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0053.937] lstrlenW (lpString=".ppt") returned 4 [0053.937] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0053.937] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0053.937] lstrlenW (lpString=".zip") returned 4 [0053.937] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0053.937] lstrlenW (lpString=".rar") returned 4 [0053.937] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0053.937] lstrlenW (lpString=".bz2") returned 4 [0053.937] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0053.937] lstrlenW (lpString=".7z") returned 3 [0053.937] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0053.937] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0053.937] lstrlenW (lpString=".dbf") returned 4 [0053.937] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0053.937] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0053.937] lstrlenW (lpString=".1cd") returned 4 [0053.937] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0053.937] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0053.937] lstrlenW (lpString=".jpg") returned 4 [0053.937] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0053.937] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0053.937] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0053.937] lstrlenW (lpString=".doc") returned 4 [0053.937] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0053.938] lstrlenW (lpString=".docx") returned 5 [0053.938] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0053.938] lstrlenW (lpString=".pdf") returned 4 [0053.938] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0053.938] lstrlenW (lpString=".xls") returned 4 [0053.938] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0053.938] lstrlenW (lpString=".xlsx") returned 5 [0053.938] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0053.938] lstrlenW (lpString=".ppt") returned 4 [0053.938] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0053.938] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0053.938] lstrlenW (lpString=".zip") returned 4 [0053.938] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0053.938] lstrlenW (lpString=".rar") returned 4 [0053.938] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0053.938] lstrlenW (lpString=".bz2") returned 4 [0053.938] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0053.938] lstrlenW (lpString=".7z") returned 3 [0053.938] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0053.938] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0053.938] lstrlenW (lpString=".dbf") returned 4 [0053.938] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0053.938] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0053.938] lstrlenW (lpString=".1cd") returned 4 [0053.938] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0053.938] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0053.938] lstrlenW (lpString=".jpg") returned 4 [0053.938] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0053.939] lstrcmpiW (lpString1=".cab", lpString2=".bmd") returned 1 [0053.939] lstrlenW (lpString="WordLR.cab") returned 10 [0053.939] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0054.486] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x360ff1c | out: lpFileSize=0x360ff1c*=43806141) returned 1 [0054.486] CloseHandle (hObject=0x19c) returned 1 [0054.486] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab")) returned 0x2020 [0054.486] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0054.486] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 1 [0054.487] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0054.487] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fc6c | out: lpNewFilePointer=0x0) returned 1 [0054.487] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fc2c | out: lpNewFilePointer=0x0) returned 1 [0054.487] ReadFile (in: hFile=0x19c, lpBuffer=0x3dd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x360fc38, lpOverlapped=0x0 | out: lpBuffer=0x3dd0058*, lpNumberOfBytesRead=0x360fc38*=0x40000, lpOverlapped=0x0) returned 1 [0054.544] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0xdecf3f, lpNewFilePointer=0x0, dwMoveMethod=0x360fc2c | out: lpNewFilePointer=0x0) returned 1 [0054.544] ReadFile (in: hFile=0x19c, lpBuffer=0x3e10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x360fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e10058*, lpNumberOfBytesRead=0x360fc38*=0x40000, lpOverlapped=0x0) returned 1 [0054.554] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x360fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0054.554] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x2986dbd, lpNewFilePointer=0x0, dwMoveMethod=0x360fc2c | out: lpNewFilePointer=0x0) returned 1 [0054.555] ReadFile (in: hFile=0x19c, lpBuffer=0x3e50058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x360fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e50058*, lpNumberOfBytesRead=0x360fc38*=0x40000, lpOverlapped=0x0) returned 1 [0054.671] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.672] WriteFile (in: hFile=0x19c, lpBuffer=0x3dd0020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x360fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3dd0020*, lpNumberOfBytesWritten=0x360fcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0054.962] SetEndOfFile (hFile=0x19c) returned 1 [0054.962] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x40b20a0 [0054.966] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fc7c | out: lpNewFilePointer=0x0) returned 1 [0054.966] WriteFile (in: hFile=0x19c, lpBuffer=0x40b20a0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x360fc88, lpOverlapped=0x0 | out: lpBuffer=0x40b20a0*, lpNumberOfBytesWritten=0x360fc88*=0x40000, lpOverlapped=0x0) returned 1 [0054.976] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0xdecf3f, lpNewFilePointer=0x0, dwMoveMethod=0x360fc7c | out: lpNewFilePointer=0x0) returned 1 [0054.976] WriteFile (in: hFile=0x19c, lpBuffer=0x40b20a0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x360fc88, lpOverlapped=0x0 | out: lpBuffer=0x40b20a0*, lpNumberOfBytesWritten=0x360fc88*=0x40000, lpOverlapped=0x0) returned 1 [0054.987] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x2986dbd, lpNewFilePointer=0x0, dwMoveMethod=0x360fc7c | out: lpNewFilePointer=0x0) returned 1 [0054.987] WriteFile (in: hFile=0x19c, lpBuffer=0x40b20a0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x360fc88, lpOverlapped=0x0 | out: lpBuffer=0x40b20a0*, lpNumberOfBytesWritten=0x360fc88*=0x40000, lpOverlapped=0x0) returned 1 [0056.047] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x40b20a0 | out: hHeap=0x5f0000) returned 1 [0056.048] CloseHandle (hObject=0x19c) returned 1 [0059.599] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0059.600] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0059.600] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0059.600] lstrlenW (lpString=".doc") returned 4 [0059.600] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0059.600] lstrlenW (lpString=".docx") returned 5 [0059.600] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0059.600] lstrlenW (lpString=".pdf") returned 4 [0059.600] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0059.600] lstrlenW (lpString=".xls") returned 4 [0059.600] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0059.600] lstrlenW (lpString=".xlsx") returned 5 [0059.600] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0059.600] lstrlenW (lpString=".ppt") returned 4 [0059.600] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0059.600] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0059.600] lstrlenW (lpString=".zip") returned 4 [0059.600] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0059.600] lstrlenW (lpString=".rar") returned 4 [0059.600] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0059.603] lstrlenW (lpString=".bz2") returned 4 [0059.603] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0059.603] lstrlenW (lpString=".7z") returned 3 [0059.623] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0059.623] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0059.623] lstrlenW (lpString=".dbf") returned 4 [0059.623] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0059.623] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0059.623] lstrlenW (lpString=".1cd") returned 4 [0059.623] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0059.623] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0059.623] lstrlenW (lpString=".jpg") returned 4 [0059.623] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0059.623] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0059.623] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0059.623] lstrlenW (lpString=".doc") returned 4 [0059.623] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0059.623] lstrlenW (lpString=".docx") returned 5 [0059.624] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0059.624] lstrlenW (lpString=".pdf") returned 4 [0059.624] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0059.624] lstrlenW (lpString=".xls") returned 4 [0059.624] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0059.624] lstrlenW (lpString=".xlsx") returned 5 [0059.624] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0059.624] lstrlenW (lpString=".ppt") returned 4 [0059.624] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0059.624] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0059.624] lstrlenW (lpString=".zip") returned 4 [0059.624] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0059.624] lstrlenW (lpString=".rar") returned 4 [0059.624] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0059.624] lstrlenW (lpString=".bz2") returned 4 [0059.624] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0059.624] lstrlenW (lpString=".7z") returned 3 [0059.624] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0059.624] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0059.624] lstrlenW (lpString=".dbf") returned 4 [0059.624] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0059.624] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0059.624] lstrlenW (lpString=".1cd") returned 4 [0059.624] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0059.624] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0059.624] lstrlenW (lpString=".jpg") returned 4 [0059.625] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0059.625] lstrcmpiW (lpString1=".cab", lpString2=".bmd") returned 1 [0059.625] lstrlenW (lpString="Proof.cab") returned 9 [0059.625] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0059.625] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x360ff1c | out: lpFileSize=0x360ff1c*=21064532) returned 1 [0059.625] CloseHandle (hObject=0x20c) returned 1 [0059.625] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab")) returned 0x2020 [0059.625] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0059.625] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 1 [0061.090] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0061.090] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fc6c | out: lpNewFilePointer=0x0) returned 1 [0061.090] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fc2c | out: lpNewFilePointer=0x0) returned 1 [0061.090] ReadFile (in: hFile=0x20c, lpBuffer=0x3dd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x360fc38, lpOverlapped=0x0 | out: lpBuffer=0x3dd0058*, lpNumberOfBytesRead=0x360fc38*=0x40000, lpOverlapped=0x0) returned 1 [0061.235] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x6b23c6, lpNewFilePointer=0x0, dwMoveMethod=0x360fc2c | out: lpNewFilePointer=0x0) returned 1 [0061.235] ReadFile (in: hFile=0x20c, lpBuffer=0x3e10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x360fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e10058*, lpNumberOfBytesRead=0x360fc38*=0x40000, lpOverlapped=0x0) returned 1 [0061.240] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x360fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0061.240] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x13d6b54, lpNewFilePointer=0x0, dwMoveMethod=0x360fc2c | out: lpNewFilePointer=0x0) returned 1 [0061.240] ReadFile (in: hFile=0x20c, lpBuffer=0x3e50058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x360fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e50058*, lpNumberOfBytesRead=0x360fc38*=0x40000, lpOverlapped=0x0) returned 1 [0061.265] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fec8 | out: lpNewFilePointer=0x0) returned 1 [0061.265] WriteFile (in: hFile=0x20c, lpBuffer=0x3dd0020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x360fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3dd0020*, lpNumberOfBytesWritten=0x360fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0062.044] SetEndOfFile (hFile=0x20c) returned 1 [0062.044] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x40a2098 [0062.222] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fc7c | out: lpNewFilePointer=0x0) returned 1 [0062.223] WriteFile (in: hFile=0x20c, lpBuffer=0x40a2098*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x360fc88, lpOverlapped=0x0 | out: lpBuffer=0x40a2098*, lpNumberOfBytesWritten=0x360fc88*=0x40000, lpOverlapped=0x0) returned 1 [0062.224] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x6b23c6, lpNewFilePointer=0x0, dwMoveMethod=0x360fc7c | out: lpNewFilePointer=0x0) returned 1 [0062.224] WriteFile (in: hFile=0x20c, lpBuffer=0x40a2098*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x360fc88, lpOverlapped=0x0 | out: lpBuffer=0x40a2098*, lpNumberOfBytesWritten=0x360fc88*=0x40000, lpOverlapped=0x0) returned 1 [0062.225] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x13d6b54, lpNewFilePointer=0x0, dwMoveMethod=0x360fc7c | out: lpNewFilePointer=0x0) returned 1 [0062.225] WriteFile (in: hFile=0x20c, lpBuffer=0x40a2098*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x360fc88, lpOverlapped=0x0 | out: lpBuffer=0x40a2098*, lpNumberOfBytesWritten=0x360fc88*=0x40000, lpOverlapped=0x0) returned 1 [0062.227] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x40a2098 | out: hHeap=0x5f0000) returned 1 [0062.227] CloseHandle (hObject=0x20c) returned 1 [0063.081] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0063.081] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0063.081] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0063.081] lstrlenW (lpString=".doc") returned 4 [0063.081] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0063.081] lstrlenW (lpString=".docx") returned 5 [0063.081] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0063.081] lstrlenW (lpString=".pdf") returned 4 [0063.081] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0063.081] lstrlenW (lpString=".xls") returned 4 [0063.081] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0063.081] lstrlenW (lpString=".xlsx") returned 5 [0063.081] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0063.082] lstrlenW (lpString=".ppt") returned 4 [0063.082] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0063.082] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0063.082] lstrlenW (lpString=".zip") returned 4 [0063.082] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0063.082] lstrlenW (lpString=".rar") returned 4 [0063.082] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0063.082] lstrlenW (lpString=".bz2") returned 4 [0063.082] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0063.082] lstrlenW (lpString=".7z") returned 3 [0063.082] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0063.082] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0063.082] lstrlenW (lpString=".dbf") returned 4 [0063.082] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0063.082] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0063.082] lstrlenW (lpString=".1cd") returned 4 [0063.082] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0063.082] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0063.082] lstrlenW (lpString=".jpg") returned 4 [0063.082] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0063.082] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0063.082] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0063.082] lstrlenW (lpString=".doc") returned 4 [0063.082] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0063.082] lstrlenW (lpString=".docx") returned 5 [0063.082] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0063.082] lstrlenW (lpString=".pdf") returned 4 [0063.082] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0063.082] lstrlenW (lpString=".xls") returned 4 [0063.082] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0063.082] lstrlenW (lpString=".xlsx") returned 5 [0063.082] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0063.083] lstrlenW (lpString=".ppt") returned 4 [0063.083] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0063.083] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0063.083] lstrlenW (lpString=".zip") returned 4 [0063.083] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0063.083] lstrlenW (lpString=".rar") returned 4 [0063.083] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0063.083] lstrlenW (lpString=".bz2") returned 4 [0063.083] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0063.083] lstrlenW (lpString=".7z") returned 3 [0063.083] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0063.083] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0063.083] lstrlenW (lpString=".dbf") returned 4 [0063.083] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0063.083] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0063.083] lstrlenW (lpString=".1cd") returned 4 [0063.083] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0063.083] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0063.083] lstrlenW (lpString=".jpg") returned 4 [0063.083] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0063.083] lstrcmpiW (lpString1=".msi", lpString2=".bmd") returned 1 [0063.083] lstrlenW (lpString="OneNoteMUI.msi") returned 14 [0063.083] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0063.084] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x360ff1c | out: lpFileSize=0x360ff1c*=2503680) returned 1 [0063.084] CloseHandle (hObject=0x20c) returned 1 [0063.084] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi")) returned 0x2020 [0063.084] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0063.084] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 1 [0063.084] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0063.085] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fc6c | out: lpNewFilePointer=0x0) returned 1 [0063.085] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fc2c | out: lpNewFilePointer=0x0) returned 1 [0063.085] ReadFile (in: hFile=0x20c, lpBuffer=0x3dd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x360fc38, lpOverlapped=0x0 | out: lpBuffer=0x3dd0058*, lpNumberOfBytesRead=0x360fc38*=0x40000, lpOverlapped=0x0) returned 1 [0063.789] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0xcbc00, lpNewFilePointer=0x0, dwMoveMethod=0x360fc2c | out: lpNewFilePointer=0x0) returned 1 [0063.789] ReadFile (in: hFile=0x20c, lpBuffer=0x3e10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x360fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e10058*, lpNumberOfBytesRead=0x360fc38*=0x40000, lpOverlapped=0x0) returned 1 [0063.858] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x360fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0063.858] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x223400, lpNewFilePointer=0x0, dwMoveMethod=0x360fc2c | out: lpNewFilePointer=0x0) returned 1 [0063.859] ReadFile (in: hFile=0x20c, lpBuffer=0x3e50058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x360fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e50058*, lpNumberOfBytesRead=0x360fc38*=0x40000, lpOverlapped=0x0) returned 1 [0063.876] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fec8 | out: lpNewFilePointer=0x0) returned 1 [0063.876] WriteFile (in: hFile=0x20c, lpBuffer=0x3dd0020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x360fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3dd0020*, lpNumberOfBytesWritten=0x360fcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0064.350] SetEndOfFile (hFile=0x20c) returned 1 [0065.130] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x4092090 [0065.134] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fc7c | out: lpNewFilePointer=0x0) returned 1 [0065.134] WriteFile (in: hFile=0x20c, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x360fc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x360fc88*=0x40000, lpOverlapped=0x0) returned 1 [0065.136] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0xcbc00, lpNewFilePointer=0x0, dwMoveMethod=0x360fc7c | out: lpNewFilePointer=0x0) returned 1 [0065.136] WriteFile (in: hFile=0x20c, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x360fc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x360fc88*=0x40000, lpOverlapped=0x0) returned 1 [0065.147] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x223400, lpNewFilePointer=0x0, dwMoveMethod=0x360fc7c | out: lpNewFilePointer=0x0) returned 1 [0065.147] WriteFile (in: hFile=0x20c, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x360fc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x360fc88*=0x40000, lpOverlapped=0x0) returned 1 [0065.151] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x4092090 | out: hHeap=0x5f0000) returned 1 [0065.151] CloseHandle (hObject=0x20c) returned 1 [0065.152] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0065.152] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0065.152] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0065.152] lstrlenW (lpString=".doc") returned 4 [0065.152] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0065.152] lstrlenW (lpString=".docx") returned 5 [0065.152] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0065.152] lstrlenW (lpString=".pdf") returned 4 [0065.152] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0065.152] lstrlenW (lpString=".xls") returned 4 [0065.152] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0065.152] lstrlenW (lpString=".xlsx") returned 5 [0065.152] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0065.153] lstrlenW (lpString=".ppt") returned 4 [0065.153] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0065.153] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0065.153] lstrlenW (lpString=".zip") returned 4 [0065.153] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0065.153] lstrlenW (lpString=".rar") returned 4 [0065.153] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0065.153] lstrlenW (lpString=".bz2") returned 4 [0065.153] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0065.153] lstrlenW (lpString=".7z") returned 3 [0065.153] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0065.153] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0065.153] lstrlenW (lpString=".dbf") returned 4 [0065.153] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0065.153] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0065.153] lstrlenW (lpString=".1cd") returned 4 [0065.153] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0065.153] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0065.153] lstrlenW (lpString=".jpg") returned 4 [0065.153] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0065.153] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0065.153] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0065.153] lstrlenW (lpString=".doc") returned 4 [0065.153] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0065.153] lstrlenW (lpString=".docx") returned 5 [0065.154] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0065.154] lstrlenW (lpString=".pdf") returned 4 [0065.154] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0065.154] lstrlenW (lpString=".xls") returned 4 [0065.154] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0065.154] lstrlenW (lpString=".xlsx") returned 5 [0065.154] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0065.154] lstrlenW (lpString=".ppt") returned 4 [0065.154] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0065.154] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0065.154] lstrlenW (lpString=".zip") returned 4 [0065.154] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0065.154] lstrlenW (lpString=".rar") returned 4 [0065.154] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0065.154] lstrlenW (lpString=".bz2") returned 4 [0065.154] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0065.154] lstrlenW (lpString=".7z") returned 3 [0065.154] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0065.154] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0065.154] lstrlenW (lpString=".dbf") returned 4 [0065.154] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0065.154] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0065.154] lstrlenW (lpString=".1cd") returned 4 [0065.154] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0065.154] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0065.155] lstrlenW (lpString=".jpg") returned 4 [0065.155] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0065.155] lstrcmpiW (lpString1=".msi", lpString2=".bmd") returned 1 [0065.155] lstrlenW (lpString="ProjectMUI.msi") returned 14 [0065.155] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0065.234] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x360ff1c | out: lpFileSize=0x360ff1c*=2511872) returned 1 [0065.234] CloseHandle (hObject=0x1f4) returned 1 [0065.234] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi")) returned 0x2020 [0065.234] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0065.234] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 1 [0065.235] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0065.235] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fc6c | out: lpNewFilePointer=0x0) returned 1 [0065.235] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fc2c | out: lpNewFilePointer=0x0) returned 1 [0065.235] ReadFile (in: hFile=0x1f4, lpBuffer=0x3dd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x360fc38, lpOverlapped=0x0 | out: lpBuffer=0x3dd0058*, lpNumberOfBytesRead=0x360fc38*=0x40000, lpOverlapped=0x0) returned 1 [0065.246] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xcc6aa, lpNewFilePointer=0x0, dwMoveMethod=0x360fc2c | out: lpNewFilePointer=0x0) returned 1 [0065.246] ReadFile (in: hFile=0x1f4, lpBuffer=0x3e10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x360fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e10058*, lpNumberOfBytesRead=0x360fc38*=0x40000, lpOverlapped=0x0) returned 1 [0066.532] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x360fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0066.532] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x225400, lpNewFilePointer=0x0, dwMoveMethod=0x360fc2c | out: lpNewFilePointer=0x0) returned 1 [0066.532] ReadFile (in: hFile=0x1f4, lpBuffer=0x3e50058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x360fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e50058*, lpNumberOfBytesRead=0x360fc38*=0x40000, lpOverlapped=0x0) returned 1 [0066.734] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fec8 | out: lpNewFilePointer=0x0) returned 1 [0066.734] WriteFile (in: hFile=0x1f4, lpBuffer=0x3dd0020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x360fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3dd0020*, lpNumberOfBytesWritten=0x360fcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0066.763] SetEndOfFile (hFile=0x1f4) returned 1 [0066.766] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x4092090 [0066.766] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fc7c | out: lpNewFilePointer=0x0) returned 1 [0066.766] WriteFile (in: hFile=0x1f4, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x360fc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x360fc88*=0x40000, lpOverlapped=0x0) returned 1 [0066.768] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xcc6aa, lpNewFilePointer=0x0, dwMoveMethod=0x360fc7c | out: lpNewFilePointer=0x0) returned 1 [0066.768] WriteFile (in: hFile=0x1f4, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x360fc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x360fc88*=0x40000, lpOverlapped=0x0) returned 1 [0066.775] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x225400, lpNewFilePointer=0x0, dwMoveMethod=0x360fc7c | out: lpNewFilePointer=0x0) returned 1 [0066.775] WriteFile (in: hFile=0x1f4, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x360fc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x360fc88*=0x40000, lpOverlapped=0x0) returned 1 [0066.897] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x4092090 | out: hHeap=0x5f0000) returned 1 [0066.897] CloseHandle (hObject=0x1f4) returned 1 [0066.897] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0066.897] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0066.897] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0066.897] lstrlenW (lpString=".doc") returned 4 [0066.897] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0066.897] lstrlenW (lpString=".docx") returned 5 [0066.898] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0066.898] lstrlenW (lpString=".pdf") returned 4 [0066.898] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0066.898] lstrlenW (lpString=".xls") returned 4 [0066.898] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0066.898] lstrlenW (lpString=".xlsx") returned 5 [0066.898] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0066.898] lstrlenW (lpString=".ppt") returned 4 [0066.898] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0066.898] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0066.898] lstrlenW (lpString=".zip") returned 4 [0066.898] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0066.898] lstrlenW (lpString=".rar") returned 4 [0066.898] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0066.898] lstrlenW (lpString=".bz2") returned 4 [0066.898] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0066.898] lstrlenW (lpString=".7z") returned 3 [0066.898] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0066.898] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0066.898] lstrlenW (lpString=".dbf") returned 4 [0066.898] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0066.898] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0066.898] lstrlenW (lpString=".1cd") returned 4 [0066.898] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0066.898] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0066.898] lstrlenW (lpString=".jpg") returned 4 [0066.898] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0066.898] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0066.898] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0066.898] lstrlenW (lpString=".doc") returned 4 [0066.898] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0066.899] lstrlenW (lpString=".docx") returned 5 [0066.899] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0066.899] lstrlenW (lpString=".pdf") returned 4 [0066.899] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0066.899] lstrlenW (lpString=".xls") returned 4 [0066.899] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0066.899] lstrlenW (lpString=".xlsx") returned 5 [0066.899] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0066.899] lstrlenW (lpString=".ppt") returned 4 [0066.899] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0066.899] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0066.899] lstrlenW (lpString=".zip") returned 4 [0066.899] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0066.899] lstrlenW (lpString=".rar") returned 4 [0066.899] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0066.899] lstrlenW (lpString=".bz2") returned 4 [0066.899] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0066.899] lstrlenW (lpString=".7z") returned 3 [0066.899] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0066.899] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0066.899] lstrlenW (lpString=".dbf") returned 4 [0066.899] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0066.899] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0066.899] lstrlenW (lpString=".1cd") returned 4 [0066.899] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0066.899] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0066.899] lstrlenW (lpString=".jpg") returned 4 [0066.899] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0066.900] lstrcmpiW (lpString1=".manifest", lpString2=".bmd") returned 1 [0066.900] lstrlenW (lpString="Microsoft.VC90.CRT.manifest") returned 27 [0066.900] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0067.210] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x360ff1c | out: lpFileSize=0x360ff1c*=1857) returned 1 [0067.210] CloseHandle (hObject=0x19c) returned 1 [0067.214] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest")) returned 0x2020 [0067.215] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0067.215] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0067.215] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.215] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.215] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0067.215] GetLastError () returned 0x0 [0067.215] ReadFile (in: hFile=0x19c, lpBuffer=0x3dd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x360fed4, lpOverlapped=0x0 | out: lpBuffer=0x3dd0020*, lpNumberOfBytesRead=0x360fed4*=0x741, lpOverlapped=0x0) returned 1 [0067.227] WriteFile (in: hFile=0x198, lpBuffer=0x3dd0020*, nNumberOfBytesToWrite=0x750, lpNumberOfBytesWritten=0x360fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3dd0020*, lpNumberOfBytesWritten=0x360fc9c*=0x750, lpOverlapped=0x0) returned 1 [0067.228] ReadFile (in: hFile=0x19c, lpBuffer=0x3dd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x360fed4, lpOverlapped=0x0 | out: lpBuffer=0x3dd0020*, lpNumberOfBytesRead=0x360fed4*=0x0, lpOverlapped=0x0) returned 1 [0067.229] WriteFile (in: hFile=0x198, lpBuffer=0x3dd0020*, nNumberOfBytesToWrite=0x10a, lpNumberOfBytesWritten=0x360fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3dd0020*, lpNumberOfBytesWritten=0x360fc9c*=0x10a, lpOverlapped=0x0) returned 1 [0067.229] SetEndOfFile (hFile=0x198) returned 1 [0067.229] CloseHandle (hObject=0x198) returned 1 [0067.229] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.229] SetEndOfFile (hFile=0x19c) returned 1 [0067.230] CloseHandle (hObject=0x19c) returned 1 [0067.231] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0067.231] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest")) returned 1 [0067.231] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0067.231] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0067.231] lstrlenW (lpString=".doc") returned 4 [0067.231] lstrcmpiW (lpString1=".doc", lpString2="fest") returned -1 [0067.231] lstrlenW (lpString=".docx") returned 5 [0067.231] lstrcmpiW (lpString1=".docx", lpString2="ifest") returned -1 [0067.231] lstrlenW (lpString=".pdf") returned 4 [0067.231] lstrcmpiW (lpString1=".pdf", lpString2="fest") returned -1 [0067.231] lstrlenW (lpString=".xls") returned 4 [0067.231] lstrcmpiW (lpString1=".xls", lpString2="fest") returned -1 [0067.231] lstrlenW (lpString=".xlsx") returned 5 [0067.231] lstrcmpiW (lpString1=".xlsx", lpString2="ifest") returned -1 [0067.232] lstrlenW (lpString=".ppt") returned 4 [0067.232] lstrcmpiW (lpString1=".ppt", lpString2="fest") returned -1 [0067.232] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0067.232] lstrlenW (lpString=".zip") returned 4 [0067.232] lstrcmpiW (lpString1=".zip", lpString2="fest") returned -1 [0067.232] lstrlenW (lpString=".rar") returned 4 [0067.232] lstrcmpiW (lpString1=".rar", lpString2="fest") returned -1 [0067.232] lstrlenW (lpString=".bz2") returned 4 [0067.232] lstrcmpiW (lpString1=".bz2", lpString2="fest") returned -1 [0067.232] lstrlenW (lpString=".7z") returned 3 [0067.232] lstrcmpiW (lpString1=".7z", lpString2="est") returned -1 [0067.232] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0067.232] lstrlenW (lpString=".dbf") returned 4 [0067.232] lstrcmpiW (lpString1=".dbf", lpString2="fest") returned -1 [0067.232] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0067.232] lstrlenW (lpString=".1cd") returned 4 [0067.232] lstrcmpiW (lpString1=".1cd", lpString2="fest") returned -1 [0067.232] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0067.232] lstrlenW (lpString=".jpg") returned 4 [0067.232] lstrcmpiW (lpString1=".jpg", lpString2="fest") returned -1 [0067.232] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0067.232] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0067.232] lstrlenW (lpString=".doc") returned 4 [0067.232] lstrcmpiW (lpString1=".doc", lpString2="fest") returned -1 [0067.232] lstrlenW (lpString=".docx") returned 5 [0067.232] lstrcmpiW (lpString1=".docx", lpString2="ifest") returned -1 [0067.233] lstrlenW (lpString=".pdf") returned 4 [0067.233] lstrcmpiW (lpString1=".pdf", lpString2="fest") returned -1 [0067.233] lstrlenW (lpString=".xls") returned 4 [0067.233] lstrcmpiW (lpString1=".xls", lpString2="fest") returned -1 [0067.233] lstrlenW (lpString=".xlsx") returned 5 [0067.233] lstrcmpiW (lpString1=".xlsx", lpString2="ifest") returned -1 [0067.233] lstrlenW (lpString=".ppt") returned 4 [0067.233] lstrcmpiW (lpString1=".ppt", lpString2="fest") returned -1 [0067.233] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0067.233] lstrlenW (lpString=".zip") returned 4 [0067.233] lstrcmpiW (lpString1=".zip", lpString2="fest") returned -1 [0067.233] lstrlenW (lpString=".rar") returned 4 [0067.233] lstrcmpiW (lpString1=".rar", lpString2="fest") returned -1 [0067.233] lstrlenW (lpString=".bz2") returned 4 [0067.233] lstrcmpiW (lpString1=".bz2", lpString2="fest") returned -1 [0067.233] lstrlenW (lpString=".7z") returned 3 [0067.233] lstrcmpiW (lpString1=".7z", lpString2="est") returned -1 [0067.233] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0067.233] lstrlenW (lpString=".dbf") returned 4 [0067.233] lstrcmpiW (lpString1=".dbf", lpString2="fest") returned -1 [0067.233] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0067.233] lstrlenW (lpString=".1cd") returned 4 [0067.233] lstrcmpiW (lpString1=".1cd", lpString2="fest") returned -1 [0067.233] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0067.234] lstrlenW (lpString=".jpg") returned 4 [0067.234] lstrcmpiW (lpString1=".jpg", lpString2="fest") returned -1 [0067.234] lstrcmpiW (lpString1=".dll", lpString2=".bmd") returned 1 [0067.234] lstrlenW (lpString="msvcr90.dll") returned 11 [0067.234] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0067.234] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x360ff1c | out: lpFileSize=0x360ff1c*=655872) returned 1 [0067.234] CloseHandle (hObject=0x19c) returned 1 [0067.234] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll")) returned 0x2020 [0067.234] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0067.235] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0067.235] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.235] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.235] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0067.235] GetLastError () returned 0x0 [0067.235] ReadFile (in: hFile=0x19c, lpBuffer=0x3dd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x360fed4, lpOverlapped=0x0 | out: lpBuffer=0x3dd0020*, lpNumberOfBytesRead=0x360fed4*=0xa0200, lpOverlapped=0x0) returned 1 [0067.250] WriteFile (in: hFile=0x198, lpBuffer=0x3dd0020*, nNumberOfBytesToWrite=0xa0210, lpNumberOfBytesWritten=0x360fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3dd0020*, lpNumberOfBytesWritten=0x360fc9c*=0xa0210, lpOverlapped=0x0) returned 1 [0067.415] ReadFile (in: hFile=0x19c, lpBuffer=0x3dd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x360fed4, lpOverlapped=0x0 | out: lpBuffer=0x3dd0020*, lpNumberOfBytesRead=0x360fed4*=0x0, lpOverlapped=0x0) returned 1 [0067.418] WriteFile (in: hFile=0x198, lpBuffer=0x3dd0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x360fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3dd0020*, lpNumberOfBytesWritten=0x360fc9c*=0xea, lpOverlapped=0x0) returned 1 [0067.418] SetEndOfFile (hFile=0x198) returned 1 [0067.418] CloseHandle (hObject=0x198) returned 1 [0067.419] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.419] SetEndOfFile (hFile=0x19c) returned 1 [0067.426] CloseHandle (hObject=0x19c) returned 1 [0067.426] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0067.427] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll")) returned 1 [0067.427] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0067.427] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0067.427] lstrlenW (lpString=".doc") returned 4 [0067.427] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0067.428] lstrlenW (lpString=".docx") returned 5 [0067.428] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0067.428] lstrlenW (lpString=".pdf") returned 4 [0067.428] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0067.428] lstrlenW (lpString=".xls") returned 4 [0067.428] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0067.428] lstrlenW (lpString=".xlsx") returned 5 [0067.428] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0067.428] lstrlenW (lpString=".ppt") returned 4 [0067.428] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0067.428] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0067.428] lstrlenW (lpString=".zip") returned 4 [0067.428] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0067.428] lstrlenW (lpString=".rar") returned 4 [0067.428] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0067.428] lstrlenW (lpString=".bz2") returned 4 [0067.428] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0067.428] lstrlenW (lpString=".7z") returned 3 [0067.428] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0067.428] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0067.428] lstrlenW (lpString=".dbf") returned 4 [0067.428] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0067.428] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0067.428] lstrlenW (lpString=".1cd") returned 4 [0067.428] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0067.428] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0067.428] lstrlenW (lpString=".jpg") returned 4 [0067.429] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0067.429] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0067.429] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0067.429] lstrlenW (lpString=".doc") returned 4 [0067.429] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0067.429] lstrlenW (lpString=".docx") returned 5 [0067.429] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0067.429] lstrlenW (lpString=".pdf") returned 4 [0067.429] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0067.429] lstrlenW (lpString=".xls") returned 4 [0067.429] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0067.429] lstrlenW (lpString=".xlsx") returned 5 [0067.429] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0067.429] lstrlenW (lpString=".ppt") returned 4 [0067.429] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0067.429] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0067.429] lstrlenW (lpString=".zip") returned 4 [0067.429] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0067.429] lstrlenW (lpString=".rar") returned 4 [0067.429] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0067.429] lstrlenW (lpString=".bz2") returned 4 [0067.429] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0067.429] lstrlenW (lpString=".7z") returned 3 [0067.429] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0067.429] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0067.429] lstrlenW (lpString=".dbf") returned 4 [0067.430] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0067.430] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0067.430] lstrlenW (lpString=".1cd") returned 4 [0067.430] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0067.430] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0067.430] lstrlenW (lpString=".jpg") returned 4 [0067.430] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0067.430] lstrcmpiW (lpString1=".dll", lpString2=".bmd") returned 1 [0067.430] lstrlenW (lpString="osetupui.dll") returned 12 [0067.430] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0067.431] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x360ff1c | out: lpFileSize=0x360ff1c*=191872) returned 1 [0067.431] CloseHandle (hObject=0x19c) returned 1 [0067.431] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll")) returned 0x2020 [0067.431] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0067.431] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0067.431] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.431] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.431] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0067.432] GetLastError () returned 0x0 [0067.432] ReadFile (in: hFile=0x19c, lpBuffer=0x3dd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x360fed4, lpOverlapped=0x0 | out: lpBuffer=0x3dd0020*, lpNumberOfBytesRead=0x360fed4*=0x2ed80, lpOverlapped=0x0) returned 1 [0067.438] WriteFile (in: hFile=0x198, lpBuffer=0x3dd0020*, nNumberOfBytesToWrite=0x2ed90, lpNumberOfBytesWritten=0x360fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3dd0020*, lpNumberOfBytesWritten=0x360fc9c*=0x2ed90, lpOverlapped=0x0) returned 1 [0067.444] ReadFile (in: hFile=0x19c, lpBuffer=0x3dd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x360fed4, lpOverlapped=0x0 | out: lpBuffer=0x3dd0020*, lpNumberOfBytesRead=0x360fed4*=0x0, lpOverlapped=0x0) returned 1 [0067.444] WriteFile (in: hFile=0x198, lpBuffer=0x3dd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x360fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3dd0020*, lpNumberOfBytesWritten=0x360fc9c*=0xec, lpOverlapped=0x0) returned 1 [0067.444] SetEndOfFile (hFile=0x198) returned 1 [0067.444] CloseHandle (hObject=0x198) returned 1 [0067.445] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.445] SetEndOfFile (hFile=0x19c) returned 1 [0067.447] CloseHandle (hObject=0x19c) returned 1 [0067.447] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0067.448] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll")) returned 1 [0067.448] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0067.448] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0067.619] lstrlenW (lpString=".doc") returned 4 [0067.619] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0067.620] lstrlenW (lpString=".docx") returned 5 [0067.667] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0067.667] lstrlenW (lpString=".pdf") returned 4 [0067.667] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0067.667] lstrlenW (lpString=".xls") returned 4 [0067.667] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0067.667] lstrlenW (lpString=".xlsx") returned 5 [0067.667] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0067.667] lstrlenW (lpString=".ppt") returned 4 [0067.667] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0067.667] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0067.667] lstrlenW (lpString=".zip") returned 4 [0067.667] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0067.667] lstrlenW (lpString=".rar") returned 4 [0067.667] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0067.667] lstrlenW (lpString=".bz2") returned 4 [0067.667] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0067.668] lstrlenW (lpString=".7z") returned 3 [0067.668] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0067.668] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0067.668] lstrlenW (lpString=".dbf") returned 4 [0067.668] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0067.668] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0067.668] lstrlenW (lpString=".1cd") returned 4 [0067.668] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0067.668] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0067.668] lstrlenW (lpString=".jpg") returned 4 [0067.668] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0067.668] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0067.668] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0067.668] lstrlenW (lpString=".doc") returned 4 [0067.668] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0067.668] lstrlenW (lpString=".docx") returned 5 [0067.668] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0067.668] lstrlenW (lpString=".pdf") returned 4 [0067.668] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0067.668] lstrlenW (lpString=".xls") returned 4 [0067.668] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0067.668] lstrlenW (lpString=".xlsx") returned 5 [0067.668] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0067.668] lstrlenW (lpString=".ppt") returned 4 [0067.669] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0067.669] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0067.669] lstrlenW (lpString=".zip") returned 4 [0067.669] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0067.669] lstrlenW (lpString=".rar") returned 4 [0067.669] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0067.669] lstrlenW (lpString=".bz2") returned 4 [0067.669] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0067.669] lstrlenW (lpString=".7z") returned 3 [0067.669] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0067.669] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0067.669] lstrlenW (lpString=".dbf") returned 4 [0067.669] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0067.669] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0067.669] lstrlenW (lpString=".1cd") returned 4 [0067.669] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0067.669] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0067.669] lstrlenW (lpString=".jpg") returned 4 [0067.669] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0067.669] lstrcmpiW (lpString1=".msi", lpString2=".bmd") returned 1 [0067.670] lstrlenW (lpString="AccessMUI.msi") returned 13 [0067.670] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0067.842] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x360ff1c | out: lpFileSize=0x360ff1c*=2517504) returned 1 [0067.843] CloseHandle (hObject=0x1f0) returned 1 [0067.843] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi")) returned 0x2020 [0067.843] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0067.849] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 1 [0067.885] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0067.886] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fc6c | out: lpNewFilePointer=0x0) returned 1 [0067.886] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fc2c | out: lpNewFilePointer=0x0) returned 1 [0067.886] ReadFile (in: hFile=0x1f0, lpBuffer=0x3dd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x360fc38, lpOverlapped=0x0 | out: lpBuffer=0x3dd0058*, lpNumberOfBytesRead=0x360fc38*=0x40000, lpOverlapped=0x0) returned 1 [0067.903] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xcce00, lpNewFilePointer=0x0, dwMoveMethod=0x360fc2c | out: lpNewFilePointer=0x0) returned 1 [0067.903] ReadFile (in: hFile=0x1f0, lpBuffer=0x3e10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x360fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e10058*, lpNumberOfBytesRead=0x360fc38*=0x40000, lpOverlapped=0x0) returned 1 [0067.959] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x360fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0067.959] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x226a00, lpNewFilePointer=0x0, dwMoveMethod=0x360fc2c | out: lpNewFilePointer=0x0) returned 1 [0067.959] ReadFile (in: hFile=0x1f0, lpBuffer=0x3e50058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x360fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e50058*, lpNumberOfBytesRead=0x360fc38*=0x40000, lpOverlapped=0x0) returned 1 [0069.021] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fec8 | out: lpNewFilePointer=0x0) returned 1 [0069.021] WriteFile (in: hFile=0x1f0, lpBuffer=0x3dd0020*, nNumberOfBytesToWrite=0xc0106, lpNumberOfBytesWritten=0x360fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3dd0020*, lpNumberOfBytesWritten=0x360fcb0*=0xc0106, lpOverlapped=0x0) returned 1 [0069.046] SetEndOfFile (hFile=0x1f0) returned 1 [0069.046] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x4092090 [0069.046] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fc7c | out: lpNewFilePointer=0x0) returned 1 [0069.046] WriteFile (in: hFile=0x1f0, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x360fc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x360fc88*=0x40000, lpOverlapped=0x0) returned 1 [0069.048] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xcce00, lpNewFilePointer=0x0, dwMoveMethod=0x360fc7c | out: lpNewFilePointer=0x0) returned 1 [0069.048] WriteFile (in: hFile=0x1f0, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x360fc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x360fc88*=0x40000, lpOverlapped=0x0) returned 1 [0069.385] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x226a00, lpNewFilePointer=0x0, dwMoveMethod=0x360fc7c | out: lpNewFilePointer=0x0) returned 1 [0069.385] WriteFile (in: hFile=0x1f0, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x360fc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x360fc88*=0x40000, lpOverlapped=0x0) returned 1 [0069.389] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x4092090 | out: hHeap=0x5f0000) returned 1 [0069.389] CloseHandle (hObject=0x1f0) returned 1 [0069.390] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0069.390] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0069.390] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0069.390] lstrlenW (lpString=".doc") returned 4 [0069.390] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0069.390] lstrlenW (lpString=".docx") returned 5 [0069.390] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0069.390] lstrlenW (lpString=".pdf") returned 4 [0069.390] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0069.390] lstrlenW (lpString=".xls") returned 4 [0069.390] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0069.390] lstrlenW (lpString=".xlsx") returned 5 [0069.391] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0069.391] lstrlenW (lpString=".ppt") returned 4 [0069.391] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0069.391] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0069.391] lstrlenW (lpString=".zip") returned 4 [0069.391] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0069.391] lstrlenW (lpString=".rar") returned 4 [0069.391] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0069.391] lstrlenW (lpString=".bz2") returned 4 [0069.391] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0069.391] lstrlenW (lpString=".7z") returned 3 [0069.391] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0069.391] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0069.391] lstrlenW (lpString=".dbf") returned 4 [0069.391] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0069.391] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0069.391] lstrlenW (lpString=".1cd") returned 4 [0069.391] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0069.391] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0069.391] lstrlenW (lpString=".jpg") returned 4 [0069.391] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0069.391] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0069.391] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0069.391] lstrlenW (lpString=".doc") returned 4 [0069.392] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0069.392] lstrlenW (lpString=".docx") returned 5 [0069.392] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0069.392] lstrlenW (lpString=".pdf") returned 4 [0069.392] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0069.392] lstrlenW (lpString=".xls") returned 4 [0069.392] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0069.392] lstrlenW (lpString=".xlsx") returned 5 [0069.392] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0069.392] lstrlenW (lpString=".ppt") returned 4 [0069.392] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0069.392] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0069.392] lstrlenW (lpString=".zip") returned 4 [0069.392] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0069.392] lstrlenW (lpString=".rar") returned 4 [0069.392] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0069.392] lstrlenW (lpString=".bz2") returned 4 [0069.392] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0069.392] lstrlenW (lpString=".7z") returned 3 [0069.392] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0069.392] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0069.392] lstrlenW (lpString=".dbf") returned 4 [0069.392] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0069.392] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0069.393] lstrlenW (lpString=".1cd") returned 4 [0069.393] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0069.393] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0069.393] lstrlenW (lpString=".jpg") returned 4 [0069.393] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0069.393] lstrcmpiW (lpString1=".dll", lpString2=".bmd") returned 1 [0069.393] lstrlenW (lpString="PidGenX.dll") returned 11 [0069.393] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0069.394] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x360ff1c | out: lpFileSize=0x360ff1c*=1463568) returned 1 [0069.394] CloseHandle (hObject=0x1f0) returned 1 [0069.394] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll")) returned 0x2020 [0069.394] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0069.394] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0069.394] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fec8 | out: lpNewFilePointer=0x0) returned 1 [0069.394] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fec8 | out: lpNewFilePointer=0x0) returned 1 [0069.394] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0069.395] GetLastError () returned 0x0 [0069.395] ReadFile (in: hFile=0x1f0, lpBuffer=0x3dd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x360fed4, lpOverlapped=0x0 | out: lpBuffer=0x3dd0020*, lpNumberOfBytesRead=0x360fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0069.872] WriteFile (in: hFile=0x1f4, lpBuffer=0x3dd0020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x360fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3dd0020*, lpNumberOfBytesWritten=0x360fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0069.898] ReadFile (in: hFile=0x1f0, lpBuffer=0x3dd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x360fed4, lpOverlapped=0x0 | out: lpBuffer=0x3dd0020*, lpNumberOfBytesRead=0x360fed4*=0x65520, lpOverlapped=0x0) returned 1 [0070.042] WriteFile (in: hFile=0x1f4, lpBuffer=0x3dd0020*, nNumberOfBytesToWrite=0x65530, lpNumberOfBytesWritten=0x360fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3dd0020*, lpNumberOfBytesWritten=0x360fc9c*=0x65530, lpOverlapped=0x0) returned 1 [0070.190] ReadFile (in: hFile=0x1f0, lpBuffer=0x3dd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x360fed4, lpOverlapped=0x0 | out: lpBuffer=0x3dd0020*, lpNumberOfBytesRead=0x360fed4*=0x0, lpOverlapped=0x0) returned 1 [0070.190] WriteFile (in: hFile=0x1f4, lpBuffer=0x3dd0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x360fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3dd0020*, lpNumberOfBytesWritten=0x360fc9c*=0xea, lpOverlapped=0x0) returned 1 [0070.190] SetEndOfFile (hFile=0x1f4) Thread: id = 20 os_tid = 0x700 [0048.380] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10000) returned 0x39200a8 [0048.380] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10000) returned 0x39300b0 [0048.381] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x646b50 [0048.381] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x6) returned 0x646f90 [0048.381] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x646b68 [0048.381] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x100000) returned 0x3ee0020 [0048.381] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x646b80 [0048.381] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x646b80, Size=0x20) returned 0x63c758 [0048.381] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x646b80 [0048.381] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x646b80, Size=0x20) returned 0x63c7a8 [0048.382] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0048.382] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0048.382] Wow64DisableWow64FsRedirection (in: OldValue=0x385ff58 | out: OldValue=0x385ff58*=0x0) returned 1 [0048.382] lstrlenW (lpString="kernel32.dll") returned 12 [0048.382] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63c758 | out: hHeap=0x5f0000) returned 1 [0048.382] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0048.382] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63c7a8 | out: hHeap=0x5f0000) returned 1 [0048.384] Sleep (dwMilliseconds=0x64) [0048.597] lstrcmpiW (lpString1=".ttf", lpString2=".bmd") returned 1 [0048.597] lstrlenW (lpString="wgl4_boot.ttf") returned 13 [0048.597] CreateFileW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0048.880] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x385ff1c | out: lpFileSize=0x385ff1c*=47452) returned 1 [0048.880] CloseHandle (hObject=0x1a0) returned 1 [0048.880] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf")) returned 0x20 [0048.880] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0048.881] CreateFileW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0048.881] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0048.881] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0048.881] lstrlenW (lpString=".doc") returned 4 [0048.881] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0048.881] lstrlenW (lpString=".docx") returned 5 [0048.881] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0048.881] lstrlenW (lpString=".pdf") returned 4 [0048.881] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0048.881] lstrlenW (lpString=".xls") returned 4 [0048.881] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0048.881] lstrlenW (lpString=".xlsx") returned 5 [0048.881] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0048.881] lstrlenW (lpString=".ppt") returned 4 [0048.881] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0048.881] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0048.881] lstrlenW (lpString=".zip") returned 4 [0048.881] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0048.881] lstrlenW (lpString=".rar") returned 4 [0048.881] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0048.881] lstrlenW (lpString=".bz2") returned 4 [0048.881] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0048.881] lstrlenW (lpString=".7z") returned 3 [0048.882] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0048.882] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0048.882] lstrlenW (lpString=".dbf") returned 4 [0048.882] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0048.882] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0048.882] lstrlenW (lpString=".1cd") returned 4 [0048.882] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0048.882] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0048.882] lstrlenW (lpString=".jpg") returned 4 [0048.882] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0048.882] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0048.882] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0048.882] lstrlenW (lpString=".doc") returned 4 [0048.882] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0048.882] lstrlenW (lpString=".docx") returned 5 [0048.882] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0048.882] lstrlenW (lpString=".pdf") returned 4 [0048.882] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0048.882] lstrlenW (lpString=".xls") returned 4 [0048.882] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0048.882] lstrlenW (lpString=".xlsx") returned 5 [0048.882] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0048.882] lstrlenW (lpString=".ppt") returned 4 [0048.883] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0048.883] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0048.883] lstrlenW (lpString=".zip") returned 4 [0048.883] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0048.883] lstrlenW (lpString=".rar") returned 4 [0048.883] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0048.883] lstrlenW (lpString=".bz2") returned 4 [0048.883] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0048.883] lstrlenW (lpString=".7z") returned 3 [0048.883] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0048.883] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0048.883] lstrlenW (lpString=".dbf") returned 4 [0048.883] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0048.883] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0048.883] lstrlenW (lpString=".1cd") returned 4 [0048.883] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0048.883] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0048.883] lstrlenW (lpString=".jpg") returned 4 [0048.883] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0048.883] lstrcmpiW (lpString1=".msi", lpString2=".bmd") returned 1 [0048.883] lstrlenW (lpString="ExcelMUI.msi") returned 12 [0048.883] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0048.884] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x385ff1c | out: lpFileSize=0x385ff1c*=2506240) returned 1 [0048.884] CloseHandle (hObject=0x1a0) returned 1 [0048.884] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi")) returned 0x2020 [0048.884] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0048.884] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 1 [0048.885] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0048.885] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fc6c | out: lpNewFilePointer=0x0) returned 1 [0048.885] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.885] ReadFile (in: hFile=0x1a0, lpBuffer=0x3ee0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x385fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ee0058*, lpNumberOfBytesRead=0x385fc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.901] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xcbf55, lpNewFilePointer=0x0, dwMoveMethod=0x385fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.901] ReadFile (in: hFile=0x1a0, lpBuffer=0x3f20058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x385fc38, lpOverlapped=0x0 | out: lpBuffer=0x3f20058*, lpNumberOfBytesRead=0x385fc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.739] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x385fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0049.740] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x223e00, lpNewFilePointer=0x0, dwMoveMethod=0x385fc2c | out: lpNewFilePointer=0x0) returned 1 [0049.740] ReadFile (in: hFile=0x1a0, lpBuffer=0x3f60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x385fc38, lpOverlapped=0x0 | out: lpBuffer=0x3f60058*, lpNumberOfBytesRead=0x385fc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.020] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.020] WriteFile (in: hFile=0x1a0, lpBuffer=0x3ee0020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x385fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3ee0020*, lpNumberOfBytesWritten=0x385fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0051.340] SetEndOfFile (hFile=0x1a0) returned 1 [0051.340] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x4082088 [0051.400] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fc7c | out: lpNewFilePointer=0x0) returned 1 [0051.400] WriteFile (in: hFile=0x1a0, lpBuffer=0x4082088*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x385fc88, lpOverlapped=0x0 | out: lpBuffer=0x4082088*, lpNumberOfBytesWritten=0x385fc88*=0x40000, lpOverlapped=0x0) returned 1 [0051.401] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xcbf55, lpNewFilePointer=0x0, dwMoveMethod=0x385fc7c | out: lpNewFilePointer=0x0) returned 1 [0051.401] WriteFile (in: hFile=0x1a0, lpBuffer=0x4082088*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x385fc88, lpOverlapped=0x0 | out: lpBuffer=0x4082088*, lpNumberOfBytesWritten=0x385fc88*=0x40000, lpOverlapped=0x0) returned 1 [0051.460] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x223e00, lpNewFilePointer=0x0, dwMoveMethod=0x385fc7c | out: lpNewFilePointer=0x0) returned 1 [0051.460] WriteFile (in: hFile=0x1a0, lpBuffer=0x4082088*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x385fc88, lpOverlapped=0x0 | out: lpBuffer=0x4082088*, lpNumberOfBytesWritten=0x385fc88*=0x40000, lpOverlapped=0x0) returned 1 [0051.464] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x4082088 | out: hHeap=0x5f0000) returned 1 [0051.464] CloseHandle (hObject=0x1a0) returned 1 [0052.738] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0052.738] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0052.738] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0052.738] lstrlenW (lpString=".doc") returned 4 [0052.738] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0052.739] lstrlenW (lpString=".docx") returned 5 [0052.739] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0052.739] lstrlenW (lpString=".pdf") returned 4 [0052.739] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0052.739] lstrlenW (lpString=".xls") returned 4 [0052.739] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0052.739] lstrlenW (lpString=".xlsx") returned 5 [0052.739] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0052.739] lstrlenW (lpString=".ppt") returned 4 [0052.739] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0052.739] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0052.739] lstrlenW (lpString=".zip") returned 4 [0052.739] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0052.739] lstrlenW (lpString=".rar") returned 4 [0052.739] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0052.739] lstrlenW (lpString=".bz2") returned 4 [0052.739] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0052.739] lstrlenW (lpString=".7z") returned 3 [0052.739] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0052.739] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0052.739] lstrlenW (lpString=".dbf") returned 4 [0052.739] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0052.739] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0052.739] lstrlenW (lpString=".1cd") returned 4 [0052.739] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0052.739] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0052.739] lstrlenW (lpString=".jpg") returned 4 [0052.740] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0052.740] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0052.740] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0052.740] lstrlenW (lpString=".doc") returned 4 [0052.740] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0052.740] lstrlenW (lpString=".docx") returned 5 [0052.740] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0052.740] lstrlenW (lpString=".pdf") returned 4 [0052.740] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0052.740] lstrlenW (lpString=".xls") returned 4 [0052.740] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0052.740] lstrlenW (lpString=".xlsx") returned 5 [0052.740] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0052.740] lstrlenW (lpString=".ppt") returned 4 [0052.740] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0052.740] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0052.740] lstrlenW (lpString=".zip") returned 4 [0052.740] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0052.740] lstrlenW (lpString=".rar") returned 4 [0052.740] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0052.740] lstrlenW (lpString=".bz2") returned 4 [0052.740] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0052.740] lstrlenW (lpString=".7z") returned 3 [0052.740] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0052.740] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0052.740] lstrlenW (lpString=".dbf") returned 4 [0052.741] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0052.741] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0052.741] lstrlenW (lpString=".1cd") returned 4 [0052.741] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0052.741] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0052.741] lstrlenW (lpString=".jpg") returned 4 [0052.741] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0052.741] lstrcmpiW (lpString1=".msi", lpString2=".bmd") returned 1 [0052.741] lstrlenW (lpString="PublisherMUI.msi") returned 16 [0052.741] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0052.742] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x385ff1c | out: lpFileSize=0x385ff1c*=2513920) returned 1 [0052.742] CloseHandle (hObject=0x1a0) returned 1 [0052.742] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi")) returned 0x2020 [0052.742] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0052.742] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 1 [0052.743] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0052.743] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fc6c | out: lpNewFilePointer=0x0) returned 1 [0052.743] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fc2c | out: lpNewFilePointer=0x0) returned 1 [0052.743] ReadFile (in: hFile=0x1a0, lpBuffer=0x3ee0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x385fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ee0058*, lpNumberOfBytesRead=0x385fc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.749] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xcc955, lpNewFilePointer=0x0, dwMoveMethod=0x385fc2c | out: lpNewFilePointer=0x0) returned 1 [0052.749] ReadFile (in: hFile=0x1a0, lpBuffer=0x3f20058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x385fc38, lpOverlapped=0x0 | out: lpBuffer=0x3f20058*, lpNumberOfBytesRead=0x385fc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.761] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x385fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0052.761] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x225c00, lpNewFilePointer=0x0, dwMoveMethod=0x385fc2c | out: lpNewFilePointer=0x0) returned 1 [0052.761] ReadFile (in: hFile=0x1a0, lpBuffer=0x3f60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x385fc38, lpOverlapped=0x0 | out: lpBuffer=0x3f60058*, lpNumberOfBytesRead=0x385fc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.922] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.922] WriteFile (in: hFile=0x1a0, lpBuffer=0x3ee0020*, nNumberOfBytesToWrite=0xc010c, lpNumberOfBytesWritten=0x385fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3ee0020*, lpNumberOfBytesWritten=0x385fcb0*=0xc010c, lpOverlapped=0x0) returned 1 [0053.090] SetEndOfFile (hFile=0x1a0) returned 1 [0053.090] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x40b20a0 [0053.093] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fc7c | out: lpNewFilePointer=0x0) returned 1 [0053.093] WriteFile (in: hFile=0x1a0, lpBuffer=0x40b20a0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x385fc88, lpOverlapped=0x0 | out: lpBuffer=0x40b20a0*, lpNumberOfBytesWritten=0x385fc88*=0x40000, lpOverlapped=0x0) returned 1 [0053.095] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xcc955, lpNewFilePointer=0x0, dwMoveMethod=0x385fc7c | out: lpNewFilePointer=0x0) returned 1 [0053.095] WriteFile (in: hFile=0x1a0, lpBuffer=0x40b20a0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x385fc88, lpOverlapped=0x0 | out: lpBuffer=0x40b20a0*, lpNumberOfBytesWritten=0x385fc88*=0x40000, lpOverlapped=0x0) returned 1 [0053.102] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x225c00, lpNewFilePointer=0x0, dwMoveMethod=0x385fc7c | out: lpNewFilePointer=0x0) returned 1 [0053.102] WriteFile (in: hFile=0x1a0, lpBuffer=0x40b20a0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x385fc88, lpOverlapped=0x0 | out: lpBuffer=0x40b20a0*, lpNumberOfBytesWritten=0x385fc88*=0x40000, lpOverlapped=0x0) returned 1 [0053.105] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x40b20a0 | out: hHeap=0x5f0000) returned 1 [0053.105] CloseHandle (hObject=0x1a0) returned 1 [0053.503] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0053.504] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0053.504] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0053.504] lstrlenW (lpString=".doc") returned 4 [0053.504] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0053.504] lstrlenW (lpString=".docx") returned 5 [0053.504] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0053.504] lstrlenW (lpString=".pdf") returned 4 [0053.504] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0053.504] lstrlenW (lpString=".xls") returned 4 [0053.504] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0053.504] lstrlenW (lpString=".xlsx") returned 5 [0053.504] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0053.504] lstrlenW (lpString=".ppt") returned 4 [0053.504] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0053.504] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0053.504] lstrlenW (lpString=".zip") returned 4 [0053.504] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0053.504] lstrlenW (lpString=".rar") returned 4 [0053.504] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0053.504] lstrlenW (lpString=".bz2") returned 4 [0053.504] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0053.505] lstrlenW (lpString=".7z") returned 3 [0053.505] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0053.505] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0053.505] lstrlenW (lpString=".dbf") returned 4 [0053.505] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0053.505] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0053.505] lstrlenW (lpString=".1cd") returned 4 [0053.505] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0053.505] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0053.505] lstrlenW (lpString=".jpg") returned 4 [0053.505] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0053.505] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0053.505] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0053.505] lstrlenW (lpString=".doc") returned 4 [0053.505] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0053.505] lstrlenW (lpString=".docx") returned 5 [0053.505] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0053.505] lstrlenW (lpString=".pdf") returned 4 [0053.505] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0053.505] lstrlenW (lpString=".xls") returned 4 [0053.505] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0053.505] lstrlenW (lpString=".xlsx") returned 5 [0053.505] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0053.505] lstrlenW (lpString=".ppt") returned 4 [0053.505] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0053.506] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0053.506] lstrlenW (lpString=".zip") returned 4 [0053.506] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0053.506] lstrlenW (lpString=".rar") returned 4 [0053.506] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0053.506] lstrlenW (lpString=".bz2") returned 4 [0053.506] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0053.506] lstrlenW (lpString=".7z") returned 3 [0053.506] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0053.506] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0053.506] lstrlenW (lpString=".dbf") returned 4 [0053.506] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0053.506] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0053.506] lstrlenW (lpString=".1cd") returned 4 [0053.506] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0053.506] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0053.506] lstrlenW (lpString=".jpg") returned 4 [0053.506] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0053.506] lstrcmpiW (lpString1=".cab", lpString2=".bmd") returned 1 [0053.506] lstrlenW (lpString="OutlkLR.cab") returned 11 [0053.507] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0053.507] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x385ff1c | out: lpFileSize=0x385ff1c*=14819276) returned 1 [0053.507] CloseHandle (hObject=0x1a0) returned 1 [0053.507] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab")) returned 0x2020 [0053.507] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0053.508] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 1 [0053.508] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0053.508] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fc6c | out: lpNewFilePointer=0x0) returned 1 [0053.508] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fc2c | out: lpNewFilePointer=0x0) returned 1 [0053.508] ReadFile (in: hFile=0x1a0, lpBuffer=0x3ee0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x385fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ee0058*, lpNumberOfBytesRead=0x385fc38*=0x40000, lpOverlapped=0x0) returned 1 [0053.520] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x4b5fee, lpNewFilePointer=0x0, dwMoveMethod=0x385fc2c | out: lpNewFilePointer=0x0) returned 1 [0053.522] ReadFile (in: hFile=0x1a0, lpBuffer=0x3f20058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x385fc38, lpOverlapped=0x0 | out: lpBuffer=0x3f20058*, lpNumberOfBytesRead=0x385fc38*=0x40000, lpOverlapped=0x0) returned 1 [0053.529] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x385fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0053.529] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xde1fcc, lpNewFilePointer=0x0, dwMoveMethod=0x385fc2c | out: lpNewFilePointer=0x0) returned 1 [0053.530] ReadFile (in: hFile=0x1a0, lpBuffer=0x3f60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x385fc38, lpOverlapped=0x0 | out: lpBuffer=0x3f60058*, lpNumberOfBytesRead=0x385fc38*=0x40000, lpOverlapped=0x0) returned 1 [0053.554] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.554] WriteFile (in: hFile=0x1a0, lpBuffer=0x3ee0020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x385fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3ee0020*, lpNumberOfBytesWritten=0x385fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0053.946] SetEndOfFile (hFile=0x1a0) returned 1 [0053.946] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x40b20a0 [0053.949] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fc7c | out: lpNewFilePointer=0x0) returned 1 [0053.949] WriteFile (in: hFile=0x1a0, lpBuffer=0x40b20a0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x385fc88, lpOverlapped=0x0 | out: lpBuffer=0x40b20a0*, lpNumberOfBytesWritten=0x385fc88*=0x40000, lpOverlapped=0x0) returned 1 [0053.951] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x4b5fee, lpNewFilePointer=0x0, dwMoveMethod=0x385fc7c | out: lpNewFilePointer=0x0) returned 1 [0053.951] WriteFile (in: hFile=0x1a0, lpBuffer=0x40b20a0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x385fc88, lpOverlapped=0x0 | out: lpBuffer=0x40b20a0*, lpNumberOfBytesWritten=0x385fc88*=0x40000, lpOverlapped=0x0) returned 1 [0053.952] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xde1fcc, lpNewFilePointer=0x0, dwMoveMethod=0x385fc7c | out: lpNewFilePointer=0x0) returned 1 [0053.952] WriteFile (in: hFile=0x1a0, lpBuffer=0x40b20a0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x385fc88, lpOverlapped=0x0 | out: lpBuffer=0x40b20a0*, lpNumberOfBytesWritten=0x385fc88*=0x40000, lpOverlapped=0x0) returned 1 [0053.954] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x40b20a0 | out: hHeap=0x5f0000) returned 1 [0053.954] CloseHandle (hObject=0x1a0) returned 1 [0056.421] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0056.422] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0056.422] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0056.422] lstrlenW (lpString=".doc") returned 4 [0056.422] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0056.422] lstrlenW (lpString=".docx") returned 5 [0056.422] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0056.422] lstrlenW (lpString=".pdf") returned 4 [0056.422] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0056.422] lstrlenW (lpString=".xls") returned 4 [0056.422] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0056.422] lstrlenW (lpString=".xlsx") returned 5 [0056.422] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0056.422] lstrlenW (lpString=".ppt") returned 4 [0056.422] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0056.422] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0056.422] lstrlenW (lpString=".zip") returned 4 [0056.422] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0056.422] lstrlenW (lpString=".rar") returned 4 [0056.422] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0056.422] lstrlenW (lpString=".bz2") returned 4 [0056.422] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0056.422] lstrlenW (lpString=".7z") returned 3 [0056.422] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0056.422] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0056.422] lstrlenW (lpString=".dbf") returned 4 [0056.422] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0056.422] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0056.422] lstrlenW (lpString=".1cd") returned 4 [0056.422] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0056.422] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0056.422] lstrlenW (lpString=".jpg") returned 4 [0056.422] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0056.423] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0056.423] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0056.423] lstrlenW (lpString=".doc") returned 4 [0056.423] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0056.423] lstrlenW (lpString=".docx") returned 5 [0056.423] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0056.423] lstrlenW (lpString=".pdf") returned 4 [0056.423] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0056.423] lstrlenW (lpString=".xls") returned 4 [0056.423] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0056.423] lstrlenW (lpString=".xlsx") returned 5 [0056.423] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0056.423] lstrlenW (lpString=".ppt") returned 4 [0056.423] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0056.423] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0056.423] lstrlenW (lpString=".zip") returned 4 [0056.423] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0056.423] lstrlenW (lpString=".rar") returned 4 [0056.423] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0056.423] lstrlenW (lpString=".bz2") returned 4 [0056.423] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0056.423] lstrlenW (lpString=".7z") returned 3 [0056.423] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0056.423] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0056.423] lstrlenW (lpString=".dbf") returned 4 [0056.423] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0056.423] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0056.423] lstrlenW (lpString=".1cd") returned 4 [0056.423] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0056.423] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0056.423] lstrlenW (lpString=".jpg") returned 4 [0056.423] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0056.424] lstrcmpiW (lpString1=".msi", lpString2=".bmd") returned 1 [0056.424] lstrlenW (lpString="Proof.msi") returned 9 [0056.424] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0057.787] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x385ff1c | out: lpFileSize=0x385ff1c*=875520) returned 1 [0057.787] CloseHandle (hObject=0x1a0) returned 1 [0057.787] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi")) returned 0x2020 [0057.787] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0057.788] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0057.788] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.788] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.788] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0057.788] GetLastError () returned 0x0 [0057.788] ReadFile (in: hFile=0x1a0, lpBuffer=0x3ee0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x385fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ee0020*, lpNumberOfBytesRead=0x385fed4*=0xd5c00, lpOverlapped=0x0) returned 1 [0057.959] WriteFile (in: hFile=0x20c, lpBuffer=0x3ee0020*, nNumberOfBytesToWrite=0xd5c10, lpNumberOfBytesWritten=0x385fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ee0020*, lpNumberOfBytesWritten=0x385fc9c*=0xd5c10, lpOverlapped=0x0) returned 1 [0058.092] ReadFile (in: hFile=0x1a0, lpBuffer=0x3ee0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x385fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ee0020*, lpNumberOfBytesRead=0x385fed4*=0x0, lpOverlapped=0x0) returned 1 [0058.092] WriteFile (in: hFile=0x20c, lpBuffer=0x3ee0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x385fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ee0020*, lpNumberOfBytesWritten=0x385fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0058.092] SetEndOfFile (hFile=0x20c) returned 1 [0058.092] CloseHandle (hObject=0x20c) returned 1 [0058.102] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.102] SetEndOfFile (hFile=0x1a0) returned 1 [0058.112] CloseHandle (hObject=0x1a0) returned 1 [0058.112] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0058.112] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi")) returned 1 [0058.113] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0058.113] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0058.113] lstrlenW (lpString=".doc") returned 4 [0058.113] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0058.113] lstrlenW (lpString=".docx") returned 5 [0058.113] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0058.113] lstrlenW (lpString=".pdf") returned 4 [0058.113] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0058.113] lstrlenW (lpString=".xls") returned 4 [0058.113] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0058.113] lstrlenW (lpString=".xlsx") returned 5 [0058.113] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0058.113] lstrlenW (lpString=".ppt") returned 4 [0058.113] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0058.113] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0058.113] lstrlenW (lpString=".zip") returned 4 [0058.113] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0058.113] lstrlenW (lpString=".rar") returned 4 [0058.113] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0058.113] lstrlenW (lpString=".bz2") returned 4 [0058.113] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0058.113] lstrlenW (lpString=".7z") returned 3 [0058.113] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0058.113] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0058.114] lstrlenW (lpString=".dbf") returned 4 [0058.114] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0058.114] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0058.114] lstrlenW (lpString=".1cd") returned 4 [0058.114] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0058.114] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0058.114] lstrlenW (lpString=".jpg") returned 4 [0058.114] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0058.114] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0058.114] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0058.114] lstrlenW (lpString=".doc") returned 4 [0058.114] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0058.114] lstrlenW (lpString=".docx") returned 5 [0058.114] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0058.114] lstrlenW (lpString=".pdf") returned 4 [0058.114] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0058.114] lstrlenW (lpString=".xls") returned 4 [0058.114] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0058.114] lstrlenW (lpString=".xlsx") returned 5 [0058.114] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0058.114] lstrlenW (lpString=".ppt") returned 4 [0058.114] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0058.114] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0058.114] lstrlenW (lpString=".zip") returned 4 [0058.114] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0058.114] lstrlenW (lpString=".rar") returned 4 [0058.114] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0058.115] lstrlenW (lpString=".bz2") returned 4 [0058.115] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0058.115] lstrlenW (lpString=".7z") returned 3 [0058.115] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0058.115] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0058.115] lstrlenW (lpString=".dbf") returned 4 [0058.115] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0058.115] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0058.115] lstrlenW (lpString=".1cd") returned 4 [0058.115] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0058.115] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0058.115] lstrlenW (lpString=".jpg") returned 4 [0058.115] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0058.115] lstrcmpiW (lpString1=".cab", lpString2=".bmd") returned 1 [0058.115] lstrlenW (lpString="Proof.cab") returned 9 [0058.115] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0058.330] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x385ff1c | out: lpFileSize=0x385ff1c*=13642474) returned 1 [0058.330] CloseHandle (hObject=0x1f4) returned 1 [0058.330] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab")) returned 0x2020 [0058.330] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0058.330] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 1 [0058.683] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0058.683] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fc6c | out: lpNewFilePointer=0x0) returned 1 [0058.683] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fc2c | out: lpNewFilePointer=0x0) returned 1 [0058.684] ReadFile (in: hFile=0x1f4, lpBuffer=0x3ee0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x385fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ee0058*, lpNumberOfBytesRead=0x385fc38*=0x40000, lpOverlapped=0x0) returned 1 [0058.799] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x4563a3, lpNewFilePointer=0x0, dwMoveMethod=0x385fc2c | out: lpNewFilePointer=0x0) returned 1 [0058.799] ReadFile (in: hFile=0x1f4, lpBuffer=0x3f20058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x385fc38, lpOverlapped=0x0 | out: lpBuffer=0x3f20058*, lpNumberOfBytesRead=0x385fc38*=0x40000, lpOverlapped=0x0) returned 1 [0058.871] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x385fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0058.871] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xcc2aea, lpNewFilePointer=0x0, dwMoveMethod=0x385fc2c | out: lpNewFilePointer=0x0) returned 1 [0058.872] ReadFile (in: hFile=0x1f4, lpBuffer=0x3f60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x385fc38, lpOverlapped=0x0 | out: lpBuffer=0x3f60058*, lpNumberOfBytesRead=0x385fc38*=0x40000, lpOverlapped=0x0) returned 1 [0058.955] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.956] WriteFile (in: hFile=0x1f4, lpBuffer=0x3ee0020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x385fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3ee0020*, lpNumberOfBytesWritten=0x385fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0059.197] SetEndOfFile (hFile=0x1f4) returned 1 [0059.197] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x40b20a0 [0059.484] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fc7c | out: lpNewFilePointer=0x0) returned 1 [0059.484] WriteFile (in: hFile=0x1f4, lpBuffer=0x40b20a0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x385fc88, lpOverlapped=0x0 | out: lpBuffer=0x40b20a0*, lpNumberOfBytesWritten=0x385fc88*=0x40000, lpOverlapped=0x0) returned 1 [0059.485] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x4563a3, lpNewFilePointer=0x0, dwMoveMethod=0x385fc7c | out: lpNewFilePointer=0x0) returned 1 [0059.485] WriteFile (in: hFile=0x1f4, lpBuffer=0x40b20a0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x385fc88, lpOverlapped=0x0 | out: lpBuffer=0x40b20a0*, lpNumberOfBytesWritten=0x385fc88*=0x40000, lpOverlapped=0x0) returned 1 [0059.486] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xcc2aea, lpNewFilePointer=0x0, dwMoveMethod=0x385fc7c | out: lpNewFilePointer=0x0) returned 1 [0059.486] WriteFile (in: hFile=0x1f4, lpBuffer=0x40b20a0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x385fc88, lpOverlapped=0x0 | out: lpBuffer=0x40b20a0*, lpNumberOfBytesWritten=0x385fc88*=0x40000, lpOverlapped=0x0) returned 1 [0059.488] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x40b20a0 | out: hHeap=0x5f0000) returned 1 [0059.488] CloseHandle (hObject=0x1f4) returned 1 [0062.115] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0062.116] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0062.116] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0062.116] lstrlenW (lpString=".doc") returned 4 [0062.116] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0062.116] lstrlenW (lpString=".docx") returned 5 [0062.116] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0062.116] lstrlenW (lpString=".pdf") returned 4 [0062.116] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0062.116] lstrlenW (lpString=".xls") returned 4 [0062.116] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0062.116] lstrlenW (lpString=".xlsx") returned 5 [0062.116] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0062.116] lstrlenW (lpString=".ppt") returned 4 [0062.116] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0062.116] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0062.116] lstrlenW (lpString=".zip") returned 4 [0062.116] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0062.117] lstrlenW (lpString=".rar") returned 4 [0062.117] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0062.117] lstrlenW (lpString=".bz2") returned 4 [0062.117] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0062.117] lstrlenW (lpString=".7z") returned 3 [0062.117] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0062.117] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0062.117] lstrlenW (lpString=".dbf") returned 4 [0062.117] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0062.117] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0062.117] lstrlenW (lpString=".1cd") returned 4 [0062.117] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0062.117] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0062.117] lstrlenW (lpString=".jpg") returned 4 [0062.117] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0062.117] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0062.117] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0062.117] lstrlenW (lpString=".doc") returned 4 [0062.117] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0062.117] lstrlenW (lpString=".docx") returned 5 [0062.117] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0062.117] lstrlenW (lpString=".pdf") returned 4 [0062.117] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0062.117] lstrlenW (lpString=".xls") returned 4 [0062.117] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0062.117] lstrlenW (lpString=".xlsx") returned 5 [0062.118] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0062.118] lstrlenW (lpString=".ppt") returned 4 [0062.118] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0062.118] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0062.118] lstrlenW (lpString=".zip") returned 4 [0062.118] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0062.118] lstrlenW (lpString=".rar") returned 4 [0062.118] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0062.118] lstrlenW (lpString=".bz2") returned 4 [0062.118] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0062.118] lstrlenW (lpString=".7z") returned 3 [0062.118] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0062.118] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0062.118] lstrlenW (lpString=".dbf") returned 4 [0062.118] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0062.118] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0062.118] lstrlenW (lpString=".1cd") returned 4 [0062.118] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0062.118] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0062.118] lstrlenW (lpString=".jpg") returned 4 [0062.118] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0062.119] lstrcmpiW (lpString1=".msi", lpString2=".bmd") returned 1 [0062.119] lstrlenW (lpString="InfoPathMUI.msi") returned 15 [0062.119] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0062.119] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x385ff1c | out: lpFileSize=0x385ff1c*=3124224) returned 1 [0062.119] CloseHandle (hObject=0x1f4) returned 1 [0062.119] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi")) returned 0x2020 [0062.119] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0062.119] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 1 [0062.273] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0062.273] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fc6c | out: lpNewFilePointer=0x0) returned 1 [0062.273] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fc2c | out: lpNewFilePointer=0x0) returned 1 [0062.273] ReadFile (in: hFile=0x1f4, lpBuffer=0x3ee0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x385fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ee0058*, lpNumberOfBytesRead=0x385fc38*=0x40000, lpOverlapped=0x0) returned 1 [0062.377] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xfe400, lpNewFilePointer=0x0, dwMoveMethod=0x385fc2c | out: lpNewFilePointer=0x0) returned 1 [0062.377] ReadFile (in: hFile=0x1f4, lpBuffer=0x3f20058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x385fc38, lpOverlapped=0x0 | out: lpBuffer=0x3f20058*, lpNumberOfBytesRead=0x385fc38*=0x40000, lpOverlapped=0x0) returned 1 [0062.435] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x385fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0062.435] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x2bac00, lpNewFilePointer=0x0, dwMoveMethod=0x385fc2c | out: lpNewFilePointer=0x0) returned 1 [0062.435] ReadFile (in: hFile=0x1f4, lpBuffer=0x3f60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x385fc38, lpOverlapped=0x0 | out: lpBuffer=0x3f60058*, lpNumberOfBytesRead=0x385fc38*=0x40000, lpOverlapped=0x0) returned 1 [0062.534] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fec8 | out: lpNewFilePointer=0x0) returned 1 [0062.534] WriteFile (in: hFile=0x1f4, lpBuffer=0x3ee0020*, nNumberOfBytesToWrite=0xc010a, lpNumberOfBytesWritten=0x385fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3ee0020*, lpNumberOfBytesWritten=0x385fcb0*=0xc010a, lpOverlapped=0x0) returned 1 [0062.967] SetEndOfFile (hFile=0x1f4) returned 1 [0062.967] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x4092090 [0062.967] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fc7c | out: lpNewFilePointer=0x0) returned 1 [0062.968] WriteFile (in: hFile=0x1f4, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x385fc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x385fc88*=0x40000, lpOverlapped=0x0) returned 1 [0062.969] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xfe400, lpNewFilePointer=0x0, dwMoveMethod=0x385fc7c | out: lpNewFilePointer=0x0) returned 1 [0062.969] WriteFile (in: hFile=0x1f4, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x385fc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x385fc88*=0x40000, lpOverlapped=0x0) returned 1 [0062.974] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x2bac00, lpNewFilePointer=0x0, dwMoveMethod=0x385fc7c | out: lpNewFilePointer=0x0) returned 1 [0062.974] WriteFile (in: hFile=0x1f4, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x385fc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x385fc88*=0x40000, lpOverlapped=0x0) returned 1 [0062.977] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x4092090 | out: hHeap=0x5f0000) returned 1 [0062.977] CloseHandle (hObject=0x1f4) returned 1 [0062.977] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0062.977] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0062.977] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0062.977] lstrlenW (lpString=".doc") returned 4 [0062.977] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0062.977] lstrlenW (lpString=".docx") returned 5 [0062.977] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0062.977] lstrlenW (lpString=".pdf") returned 4 [0062.977] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0062.977] lstrlenW (lpString=".xls") returned 4 [0062.977] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0062.977] lstrlenW (lpString=".xlsx") returned 5 [0062.977] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0062.977] lstrlenW (lpString=".ppt") returned 4 [0062.978] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0062.978] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0062.978] lstrlenW (lpString=".zip") returned 4 [0062.978] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0062.978] lstrlenW (lpString=".rar") returned 4 [0062.978] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0062.978] lstrlenW (lpString=".bz2") returned 4 [0062.978] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0062.978] lstrlenW (lpString=".7z") returned 3 [0062.978] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0062.978] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0062.978] lstrlenW (lpString=".dbf") returned 4 [0062.978] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0062.978] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0062.978] lstrlenW (lpString=".1cd") returned 4 [0062.978] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0062.978] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0062.978] lstrlenW (lpString=".jpg") returned 4 [0062.978] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0062.979] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0062.979] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0062.979] lstrlenW (lpString=".doc") returned 4 [0062.979] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0062.979] lstrlenW (lpString=".docx") returned 5 [0062.979] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0062.979] lstrlenW (lpString=".pdf") returned 4 [0062.979] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0062.979] lstrlenW (lpString=".xls") returned 4 [0062.979] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0062.979] lstrlenW (lpString=".xlsx") returned 5 [0062.979] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0062.979] lstrlenW (lpString=".ppt") returned 4 [0062.979] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0062.979] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0062.979] lstrlenW (lpString=".zip") returned 4 [0062.979] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0062.979] lstrlenW (lpString=".rar") returned 4 [0062.979] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0062.979] lstrlenW (lpString=".bz2") returned 4 [0062.979] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0062.979] lstrlenW (lpString=".7z") returned 3 [0062.979] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0062.979] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0062.979] lstrlenW (lpString=".dbf") returned 4 [0062.979] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0062.979] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0062.979] lstrlenW (lpString=".1cd") returned 4 [0062.979] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0062.979] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0062.979] lstrlenW (lpString=".jpg") returned 4 [0062.979] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0062.980] lstrcmpiW (lpString1=".msi", lpString2=".bmd") returned 1 [0062.980] lstrlenW (lpString="VisioMUI.msi") returned 12 [0062.980] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0062.980] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x385ff1c | out: lpFileSize=0x385ff1c*=2797568) returned 1 [0062.980] CloseHandle (hObject=0x1f4) returned 1 [0062.980] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi")) returned 0x2020 [0062.980] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0062.980] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 1 [0062.981] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0062.981] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fc6c | out: lpNewFilePointer=0x0) returned 1 [0062.981] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fc2c | out: lpNewFilePointer=0x0) returned 1 [0062.981] ReadFile (in: hFile=0x1f4, lpBuffer=0x3ee0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x385fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ee0058*, lpNumberOfBytesRead=0x385fc38*=0x40000, lpOverlapped=0x0) returned 1 [0063.846] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xe3aaa, lpNewFilePointer=0x0, dwMoveMethod=0x385fc2c | out: lpNewFilePointer=0x0) returned 1 [0063.846] ReadFile (in: hFile=0x1f4, lpBuffer=0x3f20058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x385fc38, lpOverlapped=0x0 | out: lpBuffer=0x3f20058*, lpNumberOfBytesRead=0x385fc38*=0x40000, lpOverlapped=0x0) returned 1 [0064.119] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x385fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0064.119] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x26b000, lpNewFilePointer=0x0, dwMoveMethod=0x385fc2c | out: lpNewFilePointer=0x0) returned 1 [0064.119] ReadFile (in: hFile=0x1f4, lpBuffer=0x3f60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x385fc38, lpOverlapped=0x0 | out: lpBuffer=0x3f60058*, lpNumberOfBytesRead=0x385fc38*=0x40000, lpOverlapped=0x0) returned 1 [0064.904] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fec8 | out: lpNewFilePointer=0x0) returned 1 [0064.904] WriteFile (in: hFile=0x1f4, lpBuffer=0x3ee0020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x385fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3ee0020*, lpNumberOfBytesWritten=0x385fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0065.188] SetEndOfFile (hFile=0x1f4) returned 1 [0065.188] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x4092090 [0065.188] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fc7c | out: lpNewFilePointer=0x0) returned 1 [0065.188] WriteFile (in: hFile=0x1f4, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x385fc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x385fc88*=0x40000, lpOverlapped=0x0) returned 1 [0065.190] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xe3aaa, lpNewFilePointer=0x0, dwMoveMethod=0x385fc7c | out: lpNewFilePointer=0x0) returned 1 [0065.190] WriteFile (in: hFile=0x1f4, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x385fc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x385fc88*=0x40000, lpOverlapped=0x0) returned 1 [0065.197] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x26b000, lpNewFilePointer=0x0, dwMoveMethod=0x385fc7c | out: lpNewFilePointer=0x0) returned 1 [0065.197] WriteFile (in: hFile=0x1f4, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x385fc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x385fc88*=0x40000, lpOverlapped=0x0) returned 1 [0065.199] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x4092090 | out: hHeap=0x5f0000) returned 1 [0065.199] CloseHandle (hObject=0x1f4) returned 1 [0065.199] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0065.200] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0065.200] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0065.200] lstrlenW (lpString=".doc") returned 4 [0065.200] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0065.200] lstrlenW (lpString=".docx") returned 5 [0065.200] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0065.200] lstrlenW (lpString=".pdf") returned 4 [0065.200] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0065.200] lstrlenW (lpString=".xls") returned 4 [0065.200] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0065.200] lstrlenW (lpString=".xlsx") returned 5 [0065.200] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0065.200] lstrlenW (lpString=".ppt") returned 4 [0065.200] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0065.200] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0065.200] lstrlenW (lpString=".zip") returned 4 [0065.200] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0065.200] lstrlenW (lpString=".rar") returned 4 [0065.200] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0065.200] lstrlenW (lpString=".bz2") returned 4 [0065.200] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0065.200] lstrlenW (lpString=".7z") returned 3 [0065.200] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0065.200] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0065.200] lstrlenW (lpString=".dbf") returned 4 [0065.200] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0065.201] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0065.201] lstrlenW (lpString=".1cd") returned 4 [0065.201] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0065.201] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0065.201] lstrlenW (lpString=".jpg") returned 4 [0065.201] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0065.201] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0065.201] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0065.201] lstrlenW (lpString=".doc") returned 4 [0065.201] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0065.201] lstrlenW (lpString=".docx") returned 5 [0065.201] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0065.201] lstrlenW (lpString=".pdf") returned 4 [0065.201] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0065.201] lstrlenW (lpString=".xls") returned 4 [0065.201] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0065.201] lstrlenW (lpString=".xlsx") returned 5 [0065.201] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0065.201] lstrlenW (lpString=".ppt") returned 4 [0065.201] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0065.201] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0065.201] lstrlenW (lpString=".zip") returned 4 [0065.201] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0065.201] lstrlenW (lpString=".rar") returned 4 [0065.201] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0065.201] lstrlenW (lpString=".bz2") returned 4 [0065.201] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0065.201] lstrlenW (lpString=".7z") returned 3 [0065.201] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0065.201] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0065.201] lstrlenW (lpString=".dbf") returned 4 [0065.201] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0065.201] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0065.201] lstrlenW (lpString=".1cd") returned 4 [0065.201] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0065.202] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0065.202] lstrlenW (lpString=".jpg") returned 4 [0065.202] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0065.420] lstrcmpiW (lpString1=".msi", lpString2=".bmd") returned 1 [0065.420] lstrlenW (lpString="GrooveMUI.msi") returned 13 [0065.421] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0065.421] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x385ff1c | out: lpFileSize=0x385ff1c*=2507776) returned 1 [0065.421] CloseHandle (hObject=0x190) returned 1 [0065.421] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi")) returned 0x2020 [0065.421] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0065.422] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 1 [0065.422] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0065.422] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fc6c | out: lpNewFilePointer=0x0) returned 1 [0065.423] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fc2c | out: lpNewFilePointer=0x0) returned 1 [0065.423] ReadFile (in: hFile=0x190, lpBuffer=0x3ee0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x385fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ee0058*, lpNumberOfBytesRead=0x385fc38*=0x40000, lpOverlapped=0x0) returned 1 [0065.427] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0xcc155, lpNewFilePointer=0x0, dwMoveMethod=0x385fc2c | out: lpNewFilePointer=0x0) returned 1 [0065.427] ReadFile (in: hFile=0x190, lpBuffer=0x3f20058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x385fc38, lpOverlapped=0x0 | out: lpBuffer=0x3f20058*, lpNumberOfBytesRead=0x385fc38*=0x40000, lpOverlapped=0x0) returned 1 [0065.443] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x385fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0065.443] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x224400, lpNewFilePointer=0x0, dwMoveMethod=0x385fc2c | out: lpNewFilePointer=0x0) returned 1 [0065.443] ReadFile (in: hFile=0x190, lpBuffer=0x3f60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x385fc38, lpOverlapped=0x0 | out: lpBuffer=0x3f60058*, lpNumberOfBytesRead=0x385fc38*=0x40000, lpOverlapped=0x0) returned 1 [0065.465] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fec8 | out: lpNewFilePointer=0x0) returned 1 [0065.465] WriteFile (in: hFile=0x190, lpBuffer=0x3ee0020*, nNumberOfBytesToWrite=0xc0106, lpNumberOfBytesWritten=0x385fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3ee0020*, lpNumberOfBytesWritten=0x385fcb0*=0xc0106, lpOverlapped=0x0) returned 1 [0066.681] SetEndOfFile (hFile=0x190) returned 1 [0066.681] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x4092090 [0066.681] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fc7c | out: lpNewFilePointer=0x0) returned 1 [0066.682] WriteFile (in: hFile=0x190, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x385fc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x385fc88*=0x40000, lpOverlapped=0x0) returned 1 [0066.684] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0xcc155, lpNewFilePointer=0x0, dwMoveMethod=0x385fc7c | out: lpNewFilePointer=0x0) returned 1 [0066.684] WriteFile (in: hFile=0x190, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x385fc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x385fc88*=0x40000, lpOverlapped=0x0) returned 1 [0066.692] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x224400, lpNewFilePointer=0x0, dwMoveMethod=0x385fc7c | out: lpNewFilePointer=0x0) returned 1 [0066.692] WriteFile (in: hFile=0x190, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x385fc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x385fc88*=0x40000, lpOverlapped=0x0) returned 1 [0066.696] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x4092090 | out: hHeap=0x5f0000) returned 1 [0066.696] CloseHandle (hObject=0x190) returned 1 [0066.696] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0066.696] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0066.697] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0066.697] lstrlenW (lpString=".doc") returned 4 [0066.697] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0066.697] lstrlenW (lpString=".docx") returned 5 [0066.697] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0066.697] lstrlenW (lpString=".pdf") returned 4 [0066.697] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0066.697] lstrlenW (lpString=".xls") returned 4 [0066.697] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0066.697] lstrlenW (lpString=".xlsx") returned 5 [0066.697] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0066.697] lstrlenW (lpString=".ppt") returned 4 [0066.697] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0066.697] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0066.697] lstrlenW (lpString=".zip") returned 4 [0066.697] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0066.697] lstrlenW (lpString=".rar") returned 4 [0066.697] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0066.697] lstrlenW (lpString=".bz2") returned 4 [0066.697] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0066.697] lstrlenW (lpString=".7z") returned 3 [0066.697] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0066.697] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0066.697] lstrlenW (lpString=".dbf") returned 4 [0066.698] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0066.698] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0066.698] lstrlenW (lpString=".1cd") returned 4 [0066.698] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0066.698] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0066.698] lstrlenW (lpString=".jpg") returned 4 [0066.698] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0066.698] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0066.698] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0066.698] lstrlenW (lpString=".doc") returned 4 [0066.698] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0066.698] lstrlenW (lpString=".docx") returned 5 [0066.698] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0066.698] lstrlenW (lpString=".pdf") returned 4 [0066.698] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0066.698] lstrlenW (lpString=".xls") returned 4 [0066.698] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0066.698] lstrlenW (lpString=".xlsx") returned 5 [0066.698] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0066.698] lstrlenW (lpString=".ppt") returned 4 [0066.698] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0066.698] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0066.698] lstrlenW (lpString=".zip") returned 4 [0066.698] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0066.698] lstrlenW (lpString=".rar") returned 4 [0066.698] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0066.699] lstrlenW (lpString=".bz2") returned 4 [0066.699] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0066.699] lstrlenW (lpString=".7z") returned 3 [0066.699] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0066.699] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0066.699] lstrlenW (lpString=".dbf") returned 4 [0066.699] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0066.699] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0066.699] lstrlenW (lpString=".1cd") returned 4 [0066.699] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0066.699] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0066.699] lstrlenW (lpString=".jpg") returned 4 [0066.699] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0066.699] lstrcmpiW (lpString1=".dll", lpString2=".bmd") returned 1 [0066.699] lstrlenW (lpString="dwdcw20.dll") returned 11 [0066.699] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0066.809] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x385ff1c | out: lpFileSize=0x385ff1c*=526176) returned 1 [0066.809] CloseHandle (hObject=0x21c) returned 1 [0066.809] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll")) returned 0x2020 [0066.810] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0066.810] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0066.810] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fec8 | out: lpNewFilePointer=0x0) returned 1 [0066.810] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fec8 | out: lpNewFilePointer=0x0) returned 1 [0066.810] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0066.810] GetLastError () returned 0x0 [0066.810] ReadFile (in: hFile=0x21c, lpBuffer=0x3ee0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x385fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ee0020*, lpNumberOfBytesRead=0x385fed4*=0x80760, lpOverlapped=0x0) returned 1 [0066.872] WriteFile (in: hFile=0x218, lpBuffer=0x3ee0020*, nNumberOfBytesToWrite=0x80770, lpNumberOfBytesWritten=0x385fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ee0020*, lpNumberOfBytesWritten=0x385fc9c*=0x80770, lpOverlapped=0x0) returned 1 [0066.885] ReadFile (in: hFile=0x21c, lpBuffer=0x3ee0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x385fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ee0020*, lpNumberOfBytesRead=0x385fed4*=0x0, lpOverlapped=0x0) returned 1 [0066.885] WriteFile (in: hFile=0x218, lpBuffer=0x3ee0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x385fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ee0020*, lpNumberOfBytesWritten=0x385fc9c*=0xea, lpOverlapped=0x0) returned 1 [0066.885] SetEndOfFile (hFile=0x218) returned 1 [0066.885] CloseHandle (hObject=0x218) returned 1 [0066.885] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fec8 | out: lpNewFilePointer=0x0) returned 1 [0066.885] SetEndOfFile (hFile=0x21c) returned 1 [0066.891] CloseHandle (hObject=0x21c) returned 1 [0066.891] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0066.892] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll")) returned 1 [0066.892] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0066.892] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0066.892] lstrlenW (lpString=".doc") returned 4 [0066.892] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0066.892] lstrlenW (lpString=".docx") returned 5 [0066.892] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0066.892] lstrlenW (lpString=".pdf") returned 4 [0066.892] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0066.892] lstrlenW (lpString=".xls") returned 4 [0066.892] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0066.892] lstrlenW (lpString=".xlsx") returned 5 [0066.892] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0066.892] lstrlenW (lpString=".ppt") returned 4 [0066.892] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0066.892] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0066.892] lstrlenW (lpString=".zip") returned 4 [0066.892] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0066.892] lstrlenW (lpString=".rar") returned 4 [0066.892] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0066.892] lstrlenW (lpString=".bz2") returned 4 [0066.892] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0066.893] lstrlenW (lpString=".7z") returned 3 [0066.893] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0066.893] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0066.893] lstrlenW (lpString=".dbf") returned 4 [0066.893] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0066.893] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0066.893] lstrlenW (lpString=".1cd") returned 4 [0066.893] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0066.893] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0066.893] lstrlenW (lpString=".jpg") returned 4 [0066.893] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0066.893] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0066.893] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0066.893] lstrlenW (lpString=".doc") returned 4 [0066.893] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0066.893] lstrlenW (lpString=".docx") returned 5 [0066.893] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0066.893] lstrlenW (lpString=".pdf") returned 4 [0066.893] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0066.893] lstrlenW (lpString=".xls") returned 4 [0066.893] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0066.893] lstrlenW (lpString=".xlsx") returned 5 [0066.893] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0066.893] lstrlenW (lpString=".ppt") returned 4 [0066.893] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0066.893] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0066.893] lstrlenW (lpString=".zip") returned 4 [0066.893] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0066.893] lstrlenW (lpString=".rar") returned 4 [0066.893] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0066.894] lstrlenW (lpString=".bz2") returned 4 [0066.894] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0066.894] lstrlenW (lpString=".7z") returned 3 [0066.894] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0066.894] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0066.894] lstrlenW (lpString=".dbf") returned 4 [0066.894] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0066.894] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0066.894] lstrlenW (lpString=".1cd") returned 4 [0066.894] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0066.894] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0066.894] lstrlenW (lpString=".jpg") returned 4 [0066.894] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0066.894] lstrcmpiW (lpString1=".exe", lpString2=".bmd") returned 1 [0066.894] lstrlenW (lpString="dwtrig20.exe") returned 12 [0066.894] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0066.895] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x385ff1c | out: lpFileSize=0x385ff1c*=519584) returned 1 [0066.895] CloseHandle (hObject=0x21c) returned 1 [0066.895] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe")) returned 0x2020 [0066.895] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0066.895] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0066.895] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fec8 | out: lpNewFilePointer=0x0) returned 1 [0066.895] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fec8 | out: lpNewFilePointer=0x0) returned 1 [0066.895] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0067.268] GetLastError () returned 0x0 [0067.268] ReadFile (in: hFile=0x21c, lpBuffer=0x3ee0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x385fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ee0020*, lpNumberOfBytesRead=0x385fed4*=0x7eda0, lpOverlapped=0x0) returned 1 [0067.308] WriteFile (in: hFile=0x188, lpBuffer=0x3ee0020*, nNumberOfBytesToWrite=0x7edb0, lpNumberOfBytesWritten=0x385fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ee0020*, lpNumberOfBytesWritten=0x385fc9c*=0x7edb0, lpOverlapped=0x0) returned 1 [0067.322] ReadFile (in: hFile=0x21c, lpBuffer=0x3ee0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x385fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ee0020*, lpNumberOfBytesRead=0x385fed4*=0x0, lpOverlapped=0x0) returned 1 [0067.322] WriteFile (in: hFile=0x188, lpBuffer=0x3ee0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x385fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ee0020*, lpNumberOfBytesWritten=0x385fc9c*=0xec, lpOverlapped=0x0) returned 1 [0067.322] SetEndOfFile (hFile=0x188) returned 1 [0067.322] CloseHandle (hObject=0x188) returned 1 [0067.323] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.323] SetEndOfFile (hFile=0x21c) returned 1 [0067.329] CloseHandle (hObject=0x21c) returned 1 [0067.329] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0067.329] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe")) returned 1 [0067.330] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0067.330] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0067.330] lstrlenW (lpString=".doc") returned 4 [0067.330] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0067.330] lstrlenW (lpString=".docx") returned 5 [0067.330] lstrcmpiW (lpString1=".docx", lpString2="0.exe") returned -1 [0067.330] lstrlenW (lpString=".pdf") returned 4 [0067.330] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0067.330] lstrlenW (lpString=".xls") returned 4 [0067.330] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0067.330] lstrlenW (lpString=".xlsx") returned 5 [0067.330] lstrcmpiW (lpString1=".xlsx", lpString2="0.exe") returned -1 [0067.330] lstrlenW (lpString=".ppt") returned 4 [0067.330] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0067.330] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0067.330] lstrlenW (lpString=".zip") returned 4 [0067.330] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0067.330] lstrlenW (lpString=".rar") returned 4 [0067.330] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0067.330] lstrlenW (lpString=".bz2") returned 4 [0067.330] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0067.330] lstrlenW (lpString=".7z") returned 3 [0067.331] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0067.331] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0067.331] lstrlenW (lpString=".dbf") returned 4 [0067.331] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0067.331] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0067.331] lstrlenW (lpString=".1cd") returned 4 [0067.331] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0067.331] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0067.331] lstrlenW (lpString=".jpg") returned 4 [0067.331] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0067.331] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0067.331] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0067.331] lstrlenW (lpString=".doc") returned 4 [0067.331] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0067.331] lstrlenW (lpString=".docx") returned 5 [0067.331] lstrcmpiW (lpString1=".docx", lpString2="0.exe") returned -1 [0067.331] lstrlenW (lpString=".pdf") returned 4 [0067.331] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0067.331] lstrlenW (lpString=".xls") returned 4 [0067.331] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0067.331] lstrlenW (lpString=".xlsx") returned 5 [0067.331] lstrcmpiW (lpString1=".xlsx", lpString2="0.exe") returned -1 [0067.331] lstrlenW (lpString=".ppt") returned 4 [0067.332] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0067.332] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0067.332] lstrlenW (lpString=".zip") returned 4 [0067.332] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0067.332] lstrlenW (lpString=".rar") returned 4 [0067.332] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0067.332] lstrlenW (lpString=".bz2") returned 4 [0067.332] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0067.332] lstrlenW (lpString=".7z") returned 3 [0067.332] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0067.332] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0067.332] lstrlenW (lpString=".dbf") returned 4 [0067.332] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0067.332] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0067.332] lstrlenW (lpString=".1cd") returned 4 [0067.332] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0067.332] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0067.332] lstrlenW (lpString=".jpg") returned 4 [0067.332] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0067.333] lstrcmpiW (lpString1=".msi", lpString2=".bmd") returned 1 [0067.333] lstrlenW (lpString="OfficeMUI.msi") returned 13 [0067.333] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0067.333] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x385ff1c | out: lpFileSize=0x385ff1c*=3702272) returned 1 [0067.333] CloseHandle (hObject=0x21c) returned 1 [0067.333] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi")) returned 0x2020 [0067.333] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0067.333] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 1 [0067.334] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0067.334] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fc6c | out: lpNewFilePointer=0x0) returned 1 [0067.335] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fc2c | out: lpNewFilePointer=0x0) returned 1 [0067.335] ReadFile (in: hFile=0x21c, lpBuffer=0x3ee0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x385fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ee0058*, lpNumberOfBytesRead=0x385fc38*=0x40000, lpOverlapped=0x0) returned 1 [0067.499] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x12d4aa, lpNewFilePointer=0x0, dwMoveMethod=0x385fc2c | out: lpNewFilePointer=0x0) returned 1 [0067.499] ReadFile (in: hFile=0x21c, lpBuffer=0x3f20058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x385fc38, lpOverlapped=0x0 | out: lpBuffer=0x3f20058*, lpNumberOfBytesRead=0x385fc38*=0x40000, lpOverlapped=0x0) returned 1 [0067.516] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x385fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0067.516] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x347e00, lpNewFilePointer=0x0, dwMoveMethod=0x385fc2c | out: lpNewFilePointer=0x0) returned 1 [0067.516] ReadFile (in: hFile=0x21c, lpBuffer=0x3f60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x385fc38, lpOverlapped=0x0 | out: lpBuffer=0x3f60058*, lpNumberOfBytesRead=0x385fc38*=0x40000, lpOverlapped=0x0) returned 1 [0067.541] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.541] WriteFile (in: hFile=0x21c, lpBuffer=0x3ee0020*, nNumberOfBytesToWrite=0xc0106, lpNumberOfBytesWritten=0x385fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3ee0020*, lpNumberOfBytesWritten=0x385fcb0*=0xc0106, lpOverlapped=0x0) returned 1 [0067.724] SetEndOfFile (hFile=0x21c) returned 1 [0067.724] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x4092090 [0067.725] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fc7c | out: lpNewFilePointer=0x0) returned 1 [0067.725] WriteFile (in: hFile=0x21c, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x385fc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x385fc88*=0x40000, lpOverlapped=0x0) returned 1 [0067.727] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x12d4aa, lpNewFilePointer=0x0, dwMoveMethod=0x385fc7c | out: lpNewFilePointer=0x0) returned 1 [0067.727] WriteFile (in: hFile=0x21c, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x385fc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x385fc88*=0x40000, lpOverlapped=0x0) returned 1 [0068.009] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x347e00, lpNewFilePointer=0x0, dwMoveMethod=0x385fc7c | out: lpNewFilePointer=0x0) returned 1 [0068.009] WriteFile (in: hFile=0x21c, lpBuffer=0x4092090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x385fc88, lpOverlapped=0x0 | out: lpBuffer=0x4092090*, lpNumberOfBytesWritten=0x385fc88*=0x40000, lpOverlapped=0x0) returned 1 [0068.012] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x4092090 | out: hHeap=0x5f0000) returned 1 [0068.013] CloseHandle (hObject=0x21c) returned 1 [0068.013] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0068.013] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0068.013] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0068.013] lstrlenW (lpString=".doc") returned 4 [0068.014] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0068.014] lstrlenW (lpString=".docx") returned 5 [0068.014] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0068.014] lstrlenW (lpString=".pdf") returned 4 [0068.014] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0068.014] lstrlenW (lpString=".xls") returned 4 [0068.014] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0068.014] lstrlenW (lpString=".xlsx") returned 5 [0068.014] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0068.014] lstrlenW (lpString=".ppt") returned 4 [0068.014] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0068.014] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0068.014] lstrlenW (lpString=".zip") returned 4 [0068.014] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0068.014] lstrlenW (lpString=".rar") returned 4 [0068.014] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0068.014] lstrlenW (lpString=".bz2") returned 4 [0068.014] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0068.014] lstrlenW (lpString=".7z") returned 3 [0068.014] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0068.015] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0068.015] lstrlenW (lpString=".dbf") returned 4 [0068.015] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0068.015] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0068.015] lstrlenW (lpString=".1cd") returned 4 [0068.015] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0068.015] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0068.015] lstrlenW (lpString=".jpg") returned 4 [0068.015] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0068.015] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0068.015] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0068.015] lstrlenW (lpString=".doc") returned 4 [0068.015] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0068.015] lstrlenW (lpString=".docx") returned 5 [0068.015] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0068.015] lstrlenW (lpString=".pdf") returned 4 [0068.016] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0068.016] lstrlenW (lpString=".xls") returned 4 [0068.016] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0068.016] lstrlenW (lpString=".xlsx") returned 5 [0068.016] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0068.016] lstrlenW (lpString=".ppt") returned 4 [0068.016] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0068.016] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0068.016] lstrlenW (lpString=".zip") returned 4 [0068.016] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0068.016] lstrlenW (lpString=".rar") returned 4 [0068.016] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0068.016] lstrlenW (lpString=".bz2") returned 4 [0068.016] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0068.016] lstrlenW (lpString=".7z") returned 3 [0068.016] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0068.016] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0068.016] lstrlenW (lpString=".dbf") returned 4 [0068.016] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0068.017] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0068.017] lstrlenW (lpString=".1cd") returned 4 [0068.017] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0068.017] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0068.017] lstrlenW (lpString=".jpg") returned 4 [0068.017] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0068.017] lstrcmpiW (lpString1=".msi", lpString2=".bmd") returned 1 [0068.017] lstrlenW (lpString="Office32WW.msi") returned 14 [0068.017] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0068.018] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x385ff1c | out: lpFileSize=0x385ff1c*=1992192) returned 1 [0068.018] CloseHandle (hObject=0x21c) returned 1 [0068.018] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi")) returned 0x2020 [0068.018] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0068.018] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 1 [0068.019] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0068.019] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fc6c | out: lpNewFilePointer=0x0) returned 1 [0068.019] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fc2c | out: lpNewFilePointer=0x0) returned 1 [0068.020] ReadFile (in: hFile=0x21c, lpBuffer=0x3ee0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x385fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ee0058*, lpNumberOfBytesRead=0x385fc38*=0x40000, lpOverlapped=0x0) returned 1 [0068.030] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xa2200, lpNewFilePointer=0x0, dwMoveMethod=0x385fc2c | out: lpNewFilePointer=0x0) returned 1 [0068.030] ReadFile (in: hFile=0x21c, lpBuffer=0x3f20058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x385fc38, lpOverlapped=0x0 | out: lpBuffer=0x3f20058*, lpNumberOfBytesRead=0x385fc38*=0x40000, lpOverlapped=0x0) returned 1 [0068.038] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x385fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0068.038] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x1a6600, lpNewFilePointer=0x0, dwMoveMethod=0x385fc2c | out: lpNewFilePointer=0x0) returned 1 [0068.038] ReadFile (in: hFile=0x21c, lpBuffer=0x3f60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x385fc38, lpOverlapped=0x0 | out: lpBuffer=0x3f60058*, lpNumberOfBytesRead=0x385fc38*=0x40000, lpOverlapped=0x0) returned 1 [0069.086] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fec8 | out: lpNewFilePointer=0x0) returned 1 [0069.086] WriteFile (in: hFile=0x21c, lpBuffer=0x3ee0020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x385fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3ee0020*, lpNumberOfBytesWritten=0x385fcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0069.116] SetEndOfFile (hFile=0x21c) returned 1 [0069.116] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x40d2098 [0069.473] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fc7c | out: lpNewFilePointer=0x0) returned 1 [0069.473] WriteFile (in: hFile=0x21c, lpBuffer=0x40d2098*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x385fc88, lpOverlapped=0x0 | out: lpBuffer=0x40d2098*, lpNumberOfBytesWritten=0x385fc88*=0x40000, lpOverlapped=0x0) returned 1 [0069.475] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xa2200, lpNewFilePointer=0x0, dwMoveMethod=0x385fc7c | out: lpNewFilePointer=0x0) returned 1 [0069.475] WriteFile (in: hFile=0x21c, lpBuffer=0x40d2098*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x385fc88, lpOverlapped=0x0 | out: lpBuffer=0x40d2098*, lpNumberOfBytesWritten=0x385fc88*=0x40000, lpOverlapped=0x0) returned 1 [0069.477] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x1a6600, lpNewFilePointer=0x0, dwMoveMethod=0x385fc7c | out: lpNewFilePointer=0x0) returned 1 [0069.477] WriteFile (in: hFile=0x21c, lpBuffer=0x40d2098*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x385fc88, lpOverlapped=0x0 | out: lpBuffer=0x40d2098*, lpNumberOfBytesWritten=0x385fc88*=0x40000, lpOverlapped=0x0) returned 1 [0069.480] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x40d2098 | out: hHeap=0x5f0000) returned 1 [0069.480] CloseHandle (hObject=0x21c) returned 1 [0069.481] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0069.481] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0069.481] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0069.481] lstrlenW (lpString=".doc") returned 4 [0069.481] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0069.481] lstrlenW (lpString=".docx") returned 5 [0069.481] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0069.481] lstrlenW (lpString=".pdf") returned 4 [0069.481] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0069.481] lstrlenW (lpString=".xls") returned 4 [0069.481] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0069.481] lstrlenW (lpString=".xlsx") returned 5 [0069.481] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0069.481] lstrlenW (lpString=".ppt") returned 4 [0069.481] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0069.481] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0069.481] lstrlenW (lpString=".zip") returned 4 [0069.481] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0069.481] lstrlenW (lpString=".rar") returned 4 [0069.482] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0069.482] lstrlenW (lpString=".bz2") returned 4 [0069.482] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0069.482] lstrlenW (lpString=".7z") returned 3 [0069.482] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0069.482] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0069.482] lstrlenW (lpString=".dbf") returned 4 [0069.482] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0069.482] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0069.482] lstrlenW (lpString=".1cd") returned 4 [0069.482] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0069.482] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0069.482] lstrlenW (lpString=".jpg") returned 4 [0069.482] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0069.482] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0069.482] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0069.482] lstrlenW (lpString=".doc") returned 4 [0069.482] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0069.482] lstrlenW (lpString=".docx") returned 5 [0069.482] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0069.482] lstrlenW (lpString=".pdf") returned 4 [0069.482] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0069.482] lstrlenW (lpString=".xls") returned 4 [0069.482] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0069.482] lstrlenW (lpString=".xlsx") returned 5 [0069.482] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0069.482] lstrlenW (lpString=".ppt") returned 4 [0069.482] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0069.482] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0069.482] lstrlenW (lpString=".zip") returned 4 [0069.483] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0069.483] lstrlenW (lpString=".rar") returned 4 [0069.483] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0069.483] lstrlenW (lpString=".bz2") returned 4 [0069.483] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0069.483] lstrlenW (lpString=".7z") returned 3 [0069.483] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0069.483] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0069.483] lstrlenW (lpString=".dbf") returned 4 [0069.483] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0069.483] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0069.483] lstrlenW (lpString=".1cd") returned 4 [0069.483] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0069.483] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0069.483] lstrlenW (lpString=".jpg") returned 4 [0069.483] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0069.483] lstrcmpiW (lpString1=".xrm-ms", lpString2=".bmd") returned 1 [0069.483] lstrlenW (lpString="pkeyconfig-office.xrm-ms") returned 24 [0069.483] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0069.484] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x385ff1c | out: lpFileSize=0x385ff1c*=715834) returned 1 [0069.484] CloseHandle (hObject=0x21c) returned 1 [0069.484] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms")) returned 0x2020 [0069.484] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0069.484] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0069.484] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fec8 | out: lpNewFilePointer=0x0) returned 1 [0069.484] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fec8 | out: lpNewFilePointer=0x0) returned 1 [0069.484] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0069.485] GetLastError () returned 0x0 [0069.485] ReadFile (in: hFile=0x21c, lpBuffer=0x3ee0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x385fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ee0020*, lpNumberOfBytesRead=0x385fed4*=0xaec3a, lpOverlapped=0x0) returned 1 [0069.537] WriteFile (in: hFile=0x20c, lpBuffer=0x3ee0020*, nNumberOfBytesToWrite=0xaec40, lpNumberOfBytesWritten=0x385fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ee0020*, lpNumberOfBytesWritten=0x385fc9c*=0xaec40, lpOverlapped=0x0) returned 1 [0069.550] ReadFile (in: hFile=0x21c, lpBuffer=0x3ee0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x385fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ee0020*, lpNumberOfBytesRead=0x385fed4*=0x0, lpOverlapped=0x0) returned 1 [0069.550] WriteFile (in: hFile=0x20c, lpBuffer=0x3ee0020*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x385fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ee0020*, lpNumberOfBytesWritten=0x385fc9c*=0x104, lpOverlapped=0x0) returned 1 [0069.550] SetEndOfFile (hFile=0x20c) returned 1 [0069.551] CloseHandle (hObject=0x20c) returned 1 [0069.551] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fec8 | out: lpNewFilePointer=0x0) returned 1 [0069.551] SetEndOfFile (hFile=0x21c) returned 1 [0069.558] CloseHandle (hObject=0x21c) returned 1 [0069.558] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0069.558] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms")) returned 1 [0069.558] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0069.558] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0069.558] lstrlenW (lpString=".doc") returned 4 [0069.558] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0069.558] lstrlenW (lpString=".docx") returned 5 [0069.558] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0069.558] lstrlenW (lpString=".pdf") returned 4 [0069.558] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0069.558] lstrlenW (lpString=".xls") returned 4 [0069.559] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0069.559] lstrlenW (lpString=".xlsx") returned 5 [0069.559] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0069.559] lstrlenW (lpString=".ppt") returned 4 [0069.559] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0069.559] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0069.559] lstrlenW (lpString=".zip") returned 4 [0069.559] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0069.559] lstrlenW (lpString=".rar") returned 4 [0069.559] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0069.559] lstrlenW (lpString=".bz2") returned 4 [0069.559] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0069.559] lstrlenW (lpString=".7z") returned 3 [0069.559] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0069.559] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0069.559] lstrlenW (lpString=".dbf") returned 4 [0069.559] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0069.559] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0069.559] lstrlenW (lpString=".1cd") returned 4 [0069.559] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0069.559] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0069.559] lstrlenW (lpString=".jpg") returned 4 [0069.559] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0069.559] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0069.559] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0069.559] lstrlenW (lpString=".doc") returned 4 [0069.559] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0069.559] lstrlenW (lpString=".docx") returned 5 [0069.559] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0069.559] lstrlenW (lpString=".pdf") returned 4 [0069.559] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0069.560] lstrlenW (lpString=".xls") returned 4 [0069.560] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0069.560] lstrlenW (lpString=".xlsx") returned 5 [0069.560] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0069.560] lstrlenW (lpString=".ppt") returned 4 [0069.560] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0069.560] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0069.560] lstrlenW (lpString=".zip") returned 4 [0069.560] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0069.560] lstrlenW (lpString=".rar") returned 4 [0069.560] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0069.560] lstrlenW (lpString=".bz2") returned 4 [0069.560] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0069.560] lstrlenW (lpString=".7z") returned 3 [0069.560] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0069.560] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0069.560] lstrlenW (lpString=".dbf") returned 4 [0069.560] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0069.560] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0069.560] lstrlenW (lpString=".1cd") returned 4 [0069.560] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0069.561] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0069.561] lstrlenW (lpString=".jpg") returned 4 [0069.561] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0069.561] lstrcmpiW (lpString1=".msi", lpString2=".bmd") returned 1 [0069.561] lstrlenW (lpString="ProPlusrWW.msi") returned 14 [0069.561] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0069.561] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x385ff1c | out: lpFileSize=0x385ff1c*=27532288) returned 1 [0069.562] CloseHandle (hObject=0x21c) returned 1 [0069.562] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi")) returned 0x2020 [0069.562] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0069.562] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 1 [0069.562] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0069.563] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fc6c | out: lpNewFilePointer=0x0) returned 1 [0069.563] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fc2c | out: lpNewFilePointer=0x0) returned 1 [0069.563] ReadFile (in: hFile=0x21c, lpBuffer=0x3ee0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x385fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ee0058*, lpNumberOfBytesRead=0x385fc38*=0x40000, lpOverlapped=0x0) returned 1 [0070.395] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x8c0955, lpNewFilePointer=0x0, dwMoveMethod=0x385fc2c | out: lpNewFilePointer=0x0) returned 1 [0070.395] ReadFile (in: hFile=0x21c, lpBuffer=0x3f20058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x385fc38, lpOverlapped=0x0 | out: lpBuffer=0x3f20058*, lpNumberOfBytesRead=0x385fc38*=0x40000, lpOverlapped=0x0) returned 1 [0070.537] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x385fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0070.537] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x1a01c00, lpNewFilePointer=0x0, dwMoveMethod=0x385fc2c | out: lpNewFilePointer=0x0) returned 1 [0070.537] ReadFile (in: hFile=0x21c, lpBuffer=0x3f60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x385fc38, lpOverlapped=0x0 | out: lpBuffer=0x3f60058*, lpNumberOfBytesRead=0x385fc38*=0x40000, lpOverlapped=0x0) returned 1 [0070.563] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fec8 | out: lpNewFilePointer=0x0) returned 1 [0070.563] WriteFile (in: hFile=0x21c, lpBuffer=0x3ee0020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x385fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3ee0020*, lpNumberOfBytesWritten=0x385fcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0070.960] SetEndOfFile (hFile=0x21c) returned 1 [0070.961] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x40f20a8 [0070.971] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fc7c | out: lpNewFilePointer=0x0) returned 1 [0070.971] WriteFile (in: hFile=0x21c, lpBuffer=0x40f20a8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x385fc88, lpOverlapped=0x0 | out: lpBuffer=0x40f20a8*, lpNumberOfBytesWritten=0x385fc88*=0x40000, lpOverlapped=0x0) returned 1 [0070.972] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x8c0955, lpNewFilePointer=0x0, dwMoveMethod=0x385fc7c | out: lpNewFilePointer=0x0) returned 1 [0070.972] WriteFile (in: hFile=0x21c, lpBuffer=0x40f20a8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x385fc88, lpOverlapped=0x0 | out: lpBuffer=0x40f20a8*, lpNumberOfBytesWritten=0x385fc88*=0x40000, lpOverlapped=0x0) returned 1 [0070.977] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x1a01c00, lpNewFilePointer=0x0, dwMoveMethod=0x385fc7c | out: lpNewFilePointer=0x0) returned 1 [0070.978] WriteFile (in: hFile=0x21c, lpBuffer=0x40f20a8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x385fc88, lpOverlapped=0x0 | out: lpBuffer=0x40f20a8*, lpNumberOfBytesWritten=0x385fc88*=0x40000, lpOverlapped=0x0) returned 1 [0070.981] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x40f20a8 | out: hHeap=0x5f0000) returned 1 [0070.981] CloseHandle (hObject=0x21c) returned 1 [0070.981] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.id-9C354B42.[backmydata@protonmail.com].bmd", dwFileAttributes=0x2020) returned 1 [0070.981] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0070.981] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0070.982] lstrlenW (lpString=".doc") returned 4 [0070.982] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0070.982] lstrlenW (lpString=".docx") returned 5 [0070.982] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0070.982] lstrlenW (lpString=".pdf") returned 4 [0070.982] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0070.982] lstrlenW (lpString=".xls") returned 4 [0070.982] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0070.982] lstrlenW (lpString=".xlsx") returned 5 [0070.982] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0070.982] lstrlenW (lpString=".ppt") returned 4 [0070.982] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0070.982] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0070.982] lstrlenW (lpString=".zip") returned 4 [0070.982] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0070.982] lstrlenW (lpString=".rar") returned 4 [0070.982] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0070.982] lstrlenW (lpString=".bz2") returned 4 [0070.982] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0070.982] lstrlenW (lpString=".7z") returned 3 [0070.982] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0070.982] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0070.982] lstrlenW (lpString=".dbf") returned 4 [0070.982] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0070.983] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0070.983] lstrlenW (lpString=".1cd") returned 4 [0070.983] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0070.983] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0070.983] lstrlenW (lpString=".jpg") returned 4 [0070.983] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0070.983] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0070.983] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0070.983] lstrlenW (lpString=".doc") returned 4 [0070.983] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0070.983] lstrlenW (lpString=".docx") returned 5 [0070.983] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0070.983] lstrlenW (lpString=".pdf") returned 4 [0070.983] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0070.983] lstrlenW (lpString=".xls") returned 4 [0070.983] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0070.983] lstrlenW (lpString=".xlsx") returned 5 [0070.983] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0070.983] lstrlenW (lpString=".ppt") returned 4 [0070.983] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0070.983] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0070.983] lstrlenW (lpString=".zip") returned 4 [0070.983] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0070.984] lstrlenW (lpString=".rar") returned 4 [0070.984] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0070.984] lstrlenW (lpString=".bz2") returned 4 [0070.984] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0070.984] lstrlenW (lpString=".7z") returned 3 [0070.984] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0070.984] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0070.984] lstrlenW (lpString=".dbf") returned 4 [0070.984] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0070.984] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0070.984] lstrlenW (lpString=".1cd") returned 4 [0070.984] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0070.984] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0070.984] lstrlenW (lpString=".jpg") returned 4 [0070.984] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0070.984] lstrcmpiW (lpString1=".exe", lpString2=".bmd") returned 1 [0070.984] lstrlenW (lpString="setup.exe") returned 9 [0070.984] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0071.049] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x385ff1c | out: lpFileSize=0x385ff1c*=1377656) returned 1 [0071.049] CloseHandle (hObject=0x218) returned 1 [0071.049] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe")) returned 0x2020 [0071.049] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe.id-9c354b42.[backmydata@protonmail.com].bmd")) returned 0xffffffff [0071.049] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0071.050] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fec8 | out: lpNewFilePointer=0x0) returned 1 [0071.050] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x385fec8 | out: lpNewFilePointer=0x0) returned 1 [0071.050] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[backmydata@protonmail.com].bmd" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe.id-9c354b42.[backmydata@protonmail.com].bmd"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0071.051] GetLastError () returned 0x0 [0071.051] ReadFile (in: hFile=0x218, lpBuffer=0x3ee0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x385fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ee0020*, lpNumberOfBytesRead=0x385fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0071.098] WriteFile (hFile=0x210, lpBuffer=0x3ee0020, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x385fc9c, lpOverlapped=0x0) Thread: id = 21 os_tid = 0x738 [0048.384] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x39400b8 [0048.385] lstrlenW (lpString="C:") returned 2 [0048.385] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x3bafd00 | out: lpFindFileData=0x3bafd00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x6806c0 [0048.385] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0048.385] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin") returned 1 [0048.385] lstrlenW (lpString="$Recycle.Bin") returned 12 [0048.385] lstrcmpiW (lpString1="C:\\Windows", lpString2="$Recycle.Bin") returned 1 [0048.385] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3ff0048 [0048.386] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0048.386] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*", lpFindFileData=0x3bafa84 | out: lpFindFileData=0x3bafa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x680700 [0048.386] FindNextFileW (in: hFindFile=0x680700, lpFindFileData=0x3bafa84 | out: lpFindFileData=0x3bafa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.386] FindNextFileW (in: hFindFile=0x680700, lpFindFileData=0x3bafa84 | out: lpFindFileData=0x3bafa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xfbfd08c0, ftLastAccessTime.dwHighDateTime=0x1d6830a, ftLastWriteTime.dwLowDateTime=0xfbfd08c0, ftLastWriteTime.dwHighDateTime=0x1d6830a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0048.386] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0048.386] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 1 [0048.386] lstrlenW (lpString="S-1-5-21-3388679973-3930757225-3770151564-1000") returned 46 [0048.387] lstrcmpiW (lpString1="C:\\Windows", lpString2="S-1-5-21-3388679973-3930757225-3770151564-1000") returned -1 [0048.387] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x4001058 [0048.387] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0048.387] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*", lpFindFileData=0x3baf808 | out: lpFindFileData=0x3baf808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xfbfd08c0, ftLastAccessTime.dwHighDateTime=0x1d6830a, ftLastWriteTime.dwLowDateTime=0xfbff6a20, ftLastWriteTime.dwHighDateTime=0x1d6830a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4011078 [0048.387] FindNextFileW (in: hFindFile=0x4011078, lpFindFileData=0x3baf808 | out: lpFindFileData=0x3baf808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xfbfd08c0, ftLastAccessTime.dwHighDateTime=0x1d6830a, ftLastWriteTime.dwLowDateTime=0xfbff6a20, ftLastWriteTime.dwHighDateTime=0x1d6830a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.387] FindNextFileW (in: hFindFile=0x4011078, lpFindFileData=0x3baf808 | out: lpFindFileData=0x3baf808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xfbfd08c0, ftCreationTime.dwHighDateTime=0x1d6830a, ftLastAccessTime.dwLowDateTime=0xfbfd08c0, ftLastAccessTime.dwHighDateTime=0x1d6830a, ftLastWriteTime.dwLowDateTime=0xfbff6a20, ftLastWriteTime.dwHighDateTime=0x1d6830a, nFileSizeHigh=0x0, nFileSizeLow=0x17a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini.id-9C354B42.[backmydata@protonmail.com].bmd", cAlternateFileName="DESKTO~1.BMD")) returned 1 [0048.387] lstrlenW (lpString="desktop.ini.id-9C354B42.[backmydata@protonmail.com].bmd") returned 55 [0048.387] lstrlenW (lpString=".1cd") returned 4 [0048.387] lstrcmpiW (lpString1=".1cd", lpString2=".bmd") returned -1 [0048.387] lstrlenW (lpString=".3ds") returned 4 [0048.387] lstrcmpiW (lpString1=".3ds", lpString2=".bmd") returned -1 [0048.387] lstrlenW (lpString=".3fr") returned 4 [0048.387] lstrcmpiW (lpString1=".3fr", lpString2=".bmd") returned -1 [0048.387] lstrlenW (lpString=".3g2") returned 4 [0048.388] lstrcmpiW (lpString1=".3g2", lpString2=".bmd") returned -1 [0048.388] lstrlenW (lpString=".3gp") returned 4 [0048.388] lstrcmpiW (lpString1=".3gp", lpString2=".bmd") returned -1 [0048.388] lstrlenW (lpString=".7z") returned 3 [0048.388] lstrcmpiW (lpString1=".7z", lpString2="bmd") returned -1 [0048.388] lstrlenW (lpString=".accda") returned 6 [0048.388] lstrcmpiW (lpString1=".accda", lpString2="m].bmd") returned -1 [0048.388] lstrlenW (lpString=".accdb") returned 6 [0048.388] lstrcmpiW (lpString1=".accdb", lpString2="m].bmd") returned -1 [0048.388] lstrlenW (lpString=".accdc") returned 6 [0048.388] lstrcmpiW (lpString1=".accdc", lpString2="m].bmd") returned -1 [0048.388] lstrlenW (lpString=".accde") returned 6 [0048.388] lstrcmpiW (lpString1=".accde", lpString2="m].bmd") returned -1 [0048.388] lstrlenW (lpString=".accdt") returned 6 [0048.388] lstrcmpiW (lpString1=".accdt", lpString2="m].bmd") returned -1 [0048.388] lstrlenW (lpString=".accdw") returned 6 [0048.388] lstrcmpiW (lpString1=".accdw", lpString2="m].bmd") returned -1 [0048.388] lstrlenW (lpString=".adb") returned 4 [0048.388] lstrcmpiW (lpString1=".adb", lpString2=".bmd") returned -1 [0048.388] lstrlenW (lpString=".adp") returned 4 [0048.388] lstrcmpiW (lpString1=".adp", lpString2=".bmd") returned -1 [0048.388] lstrlenW (lpString=".ai") returned 3 [0048.388] lstrcmpiW (lpString1=".ai", lpString2="bmd") returned -1 [0048.388] lstrlenW (lpString=".ai3") returned 4 [0048.388] lstrcmpiW (lpString1=".ai3", lpString2=".bmd") returned -1 [0048.388] lstrlenW (lpString=".ai4") returned 4 [0048.388] lstrcmpiW (lpString1=".ai4", lpString2=".bmd") returned -1 [0048.389] lstrlenW (lpString=".ai5") returned 4 [0048.389] lstrcmpiW (lpString1=".ai5", lpString2=".bmd") returned -1 [0048.389] lstrlenW (lpString=".ai6") returned 4 [0048.389] lstrcmpiW (lpString1=".ai6", lpString2=".bmd") returned -1 [0048.389] lstrlenW (lpString=".ai7") returned 4 [0048.389] lstrcmpiW (lpString1=".ai7", lpString2=".bmd") returned -1 [0048.389] lstrlenW (lpString=".ai8") returned 4 [0048.389] lstrcmpiW (lpString1=".ai8", lpString2=".bmd") returned -1 [0048.389] lstrlenW (lpString=".anim") returned 5 [0048.389] lstrcmpiW (lpString1=".anim", lpString2="].bmd") returned -1 [0048.389] lstrlenW (lpString=".arw") returned 4 [0048.389] lstrcmpiW (lpString1=".arw", lpString2=".bmd") returned -1 [0048.389] lstrlenW (lpString=".as") returned 3 [0048.389] lstrcmpiW (lpString1=".as", lpString2="bmd") returned -1 [0048.389] lstrlenW (lpString=".asa") returned 4 [0048.389] lstrcmpiW (lpString1=".asa", lpString2=".bmd") returned -1 [0048.389] lstrlenW (lpString=".asc") returned 4 [0048.389] lstrcmpiW (lpString1=".asc", lpString2=".bmd") returned -1 [0048.389] lstrlenW (lpString=".ascx") returned 5 [0048.389] lstrcmpiW (lpString1=".ascx", lpString2="].bmd") returned -1 [0048.389] lstrlenW (lpString=".asm") returned 4 [0048.389] lstrcmpiW (lpString1=".asm", lpString2=".bmd") returned -1 [0048.389] lstrlenW (lpString=".asmx") returned 5 [0048.389] lstrcmpiW (lpString1=".asmx", lpString2="].bmd") returned -1 [0048.389] lstrlenW (lpString=".asp") returned 4 [0048.389] lstrcmpiW (lpString1=".asp", lpString2=".bmd") returned -1 [0048.390] lstrlenW (lpString=".aspx") returned 5 [0048.390] lstrcmpiW (lpString1=".aspx", lpString2="].bmd") returned -1 [0048.390] lstrlenW (lpString=".asr") returned 4 [0048.390] lstrcmpiW (lpString1=".asr", lpString2=".bmd") returned -1 [0048.390] lstrlenW (lpString=".asx") returned 4 [0048.390] lstrcmpiW (lpString1=".asx", lpString2=".bmd") returned -1 [0048.390] lstrlenW (lpString=".avi") returned 4 [0048.390] lstrcmpiW (lpString1=".avi", lpString2=".bmd") returned -1 [0048.390] lstrlenW (lpString=".avs") returned 4 [0048.390] lstrcmpiW (lpString1=".avs", lpString2=".bmd") returned -1 [0048.390] lstrlenW (lpString=".backup") returned 7 [0048.390] lstrcmpiW (lpString1=".backup", lpString2="om].bmd") returned -1 [0048.390] lstrlenW (lpString=".bak") returned 4 [0048.390] lstrcmpiW (lpString1=".bak", lpString2=".bmd") returned -1 [0048.390] lstrlenW (lpString=".bay") returned 4 [0048.390] lstrcmpiW (lpString1=".bay", lpString2=".bmd") returned -1 [0048.390] lstrlenW (lpString=".bd") returned 3 [0048.390] lstrcmpiW (lpString1=".bd", lpString2="bmd") returned -1 [0048.390] lstrlenW (lpString=".bin") returned 4 [0048.390] lstrcmpiW (lpString1=".bin", lpString2=".bmd") returned -1 [0048.390] lstrlenW (lpString=".bmp") returned 4 [0048.390] lstrcmpiW (lpString1=".bmp", lpString2=".bmd") returned 1 [0048.390] lstrlenW (lpString=".bz2") returned 4 [0048.390] lstrcmpiW (lpString1=".bz2", lpString2=".bmd") returned 1 [0048.390] lstrlenW (lpString=".c") returned 2 [0048.390] lstrcmpiW (lpString1=".c", lpString2="md") returned -1 [0048.391] lstrlenW (lpString=".cdr") returned 4 [0048.391] lstrcmpiW (lpString1=".cdr", lpString2=".bmd") returned 1 [0048.391] lstrlenW (lpString=".cer") returned 4 [0048.391] lstrcmpiW (lpString1=".cer", lpString2=".bmd") returned 1 [0048.391] lstrlenW (lpString=".cf") returned 3 [0048.391] lstrcmpiW (lpString1=".cf", lpString2="bmd") returned -1 [0048.391] lstrlenW (lpString=".cfc") returned 4 [0048.391] lstrcmpiW (lpString1=".cfc", lpString2=".bmd") returned 1 [0048.391] lstrlenW (lpString=".cfm") returned 4 [0048.391] lstrcmpiW (lpString1=".cfm", lpString2=".bmd") returned 1 [0048.391] lstrlenW (lpString=".cfml") returned 5 [0048.391] lstrcmpiW (lpString1=".cfml", lpString2="].bmd") returned -1 [0048.391] lstrlenW (lpString=".cfu") returned 4 [0048.391] lstrcmpiW (lpString1=".cfu", lpString2=".bmd") returned 1 [0048.391] lstrlenW (lpString=".chm") returned 4 [0048.391] lstrcmpiW (lpString1=".chm", lpString2=".bmd") returned 1 [0048.391] lstrlenW (lpString=".cin") returned 4 [0048.391] lstrcmpiW (lpString1=".cin", lpString2=".bmd") returned 1 [0048.391] lstrlenW (lpString=".class") returned 6 [0048.391] lstrcmpiW (lpString1=".class", lpString2="m].bmd") returned -1 [0048.391] lstrlenW (lpString=".clx") returned 4 [0048.391] lstrcmpiW (lpString1=".clx", lpString2=".bmd") returned 1 [0048.391] lstrlenW (lpString=".config") returned 7 [0048.391] lstrcmpiW (lpString1=".config", lpString2="om].bmd") returned -1 [0048.391] lstrlenW (lpString=".cpp") returned 4 [0048.391] lstrcmpiW (lpString1=".cpp", lpString2=".bmd") returned 1 [0048.392] lstrlenW (lpString=".cr2") returned 4 [0048.392] lstrcmpiW (lpString1=".cr2", lpString2=".bmd") returned 1 [0048.392] lstrlenW (lpString=".crt") returned 4 [0048.392] lstrcmpiW (lpString1=".crt", lpString2=".bmd") returned 1 [0048.392] lstrlenW (lpString=".crw") returned 4 [0048.392] lstrcmpiW (lpString1=".crw", lpString2=".bmd") returned 1 [0048.392] lstrlenW (lpString=".cs") returned 3 [0048.392] lstrcmpiW (lpString1=".cs", lpString2="bmd") returned -1 [0048.392] lstrlenW (lpString=".css") returned 4 [0048.392] lstrcmpiW (lpString1=".css", lpString2=".bmd") returned 1 [0048.392] lstrlenW (lpString=".csv") returned 4 [0048.392] lstrcmpiW (lpString1=".csv", lpString2=".bmd") returned 1 [0048.392] lstrlenW (lpString=".cub") returned 4 [0048.392] lstrcmpiW (lpString1=".cub", lpString2=".bmd") returned 1 [0048.392] lstrlenW (lpString=".dae") returned 4 [0048.392] lstrcmpiW (lpString1=".dae", lpString2=".bmd") returned 1 [0048.392] lstrlenW (lpString=".dat") returned 4 [0048.392] lstrcmpiW (lpString1=".dat", lpString2=".bmd") returned 1 [0048.392] lstrlenW (lpString=".db") returned 3 [0048.392] lstrcmpiW (lpString1=".db", lpString2="bmd") returned -1 [0048.392] lstrlenW (lpString=".dbf") returned 4 [0048.392] lstrcmpiW (lpString1=".dbf", lpString2=".bmd") returned 1 [0048.392] lstrlenW (lpString=".dbx") returned 4 [0048.392] lstrcmpiW (lpString1=".dbx", lpString2=".bmd") returned 1 [0048.392] lstrlenW (lpString=".dc3") returned 4 [0048.392] lstrcmpiW (lpString1=".dc3", lpString2=".bmd") returned 1 [0048.392] lstrlenW (lpString=".dcm") returned 4 [0048.393] lstrcmpiW (lpString1=".dcm", lpString2=".bmd") returned 1 [0048.393] lstrlenW (lpString=".dcr") returned 4 [0048.393] lstrcmpiW (lpString1=".dcr", lpString2=".bmd") returned 1 [0048.393] lstrlenW (lpString=".der") returned 4 [0048.393] lstrcmpiW (lpString1=".der", lpString2=".bmd") returned 1 [0048.393] lstrlenW (lpString=".dib") returned 4 [0048.393] lstrcmpiW (lpString1=".dib", lpString2=".bmd") returned 1 [0048.393] lstrlenW (lpString=".dic") returned 4 [0048.393] lstrcmpiW (lpString1=".dic", lpString2=".bmd") returned 1 [0048.393] lstrlenW (lpString=".dif") returned 4 [0048.393] lstrcmpiW (lpString1=".dif", lpString2=".bmd") returned 1 [0048.393] lstrlenW (lpString=".divx") returned 5 [0048.393] lstrcmpiW (lpString1=".divx", lpString2="].bmd") returned -1 [0048.393] lstrlenW (lpString=".djvu") returned 5 [0048.393] lstrcmpiW (lpString1=".djvu", lpString2="].bmd") returned -1 [0048.393] lstrlenW (lpString=".dng") returned 4 [0048.393] lstrcmpiW (lpString1=".dng", lpString2=".bmd") returned 1 [0048.393] lstrlenW (lpString=".doc") returned 4 [0048.393] lstrcmpiW (lpString1=".doc", lpString2=".bmd") returned 1 [0048.393] lstrlenW (lpString=".docm") returned 5 [0048.393] lstrcmpiW (lpString1=".docm", lpString2="].bmd") returned -1 [0048.393] lstrlenW (lpString=".docx") returned 5 [0048.393] lstrcmpiW (lpString1=".docx", lpString2="].bmd") returned -1 [0048.393] lstrlenW (lpString=".dot") returned 4 [0048.393] lstrcmpiW (lpString1=".dot", lpString2=".bmd") returned 1 [0048.393] lstrlenW (lpString=".dotm") returned 5 [0048.394] lstrcmpiW (lpString1=".dotm", lpString2="].bmd") returned -1 [0048.394] lstrlenW (lpString=".dotx") returned 5 [0048.394] lstrcmpiW (lpString1=".dotx", lpString2="].bmd") returned -1 [0048.394] lstrlenW (lpString=".dpx") returned 4 [0048.394] lstrcmpiW (lpString1=".dpx", lpString2=".bmd") returned 1 [0048.394] lstrlenW (lpString=".dqy") returned 4 [0048.394] lstrcmpiW (lpString1=".dqy", lpString2=".bmd") returned 1 [0048.394] lstrlenW (lpString=".dsn") returned 4 [0048.394] lstrcmpiW (lpString1=".dsn", lpString2=".bmd") returned 1 [0048.394] lstrlenW (lpString=".dt") returned 3 [0048.394] lstrcmpiW (lpString1=".dt", lpString2="bmd") returned -1 [0048.394] lstrlenW (lpString=".dtd") returned 4 [0048.394] lstrcmpiW (lpString1=".dtd", lpString2=".bmd") returned 1 [0048.394] lstrlenW (lpString=".dwg") returned 4 [0048.394] lstrcmpiW (lpString1=".dwg", lpString2=".bmd") returned 1 [0048.394] lstrlenW (lpString=".dwt") returned 4 [0048.394] lstrcmpiW (lpString1=".dwt", lpString2=".bmd") returned 1 [0048.394] lstrlenW (lpString=".dx") returned 3 [0048.394] lstrcmpiW (lpString1=".dx", lpString2="bmd") returned -1 [0048.394] lstrlenW (lpString=".dxf") returned 4 [0048.394] lstrcmpiW (lpString1=".dxf", lpString2=".bmd") returned 1 [0048.394] lstrlenW (lpString=".edml") returned 5 [0048.394] lstrcmpiW (lpString1=".edml", lpString2="].bmd") returned -1 [0048.394] lstrlenW (lpString=".efd") returned 4 [0048.395] lstrcmpiW (lpString1=".efd", lpString2=".bmd") returned 1 [0048.395] lstrlenW (lpString=".elf") returned 4 [0048.395] lstrcmpiW (lpString1=".elf", lpString2=".bmd") returned 1 [0048.395] lstrlenW (lpString=".emf") returned 4 [0048.395] lstrcmpiW (lpString1=".emf", lpString2=".bmd") returned 1 [0048.395] lstrlenW (lpString=".emz") returned 4 [0048.395] lstrcmpiW (lpString1=".emz", lpString2=".bmd") returned 1 [0048.395] lstrlenW (lpString=".epf") returned 4 [0048.395] lstrcmpiW (lpString1=".epf", lpString2=".bmd") returned 1 [0048.395] lstrlenW (lpString=".eps") returned 4 [0048.395] lstrcmpiW (lpString1=".eps", lpString2=".bmd") returned 1 [0048.395] lstrlenW (lpString=".epsf") returned 5 [0048.395] lstrcmpiW (lpString1=".epsf", lpString2="].bmd") returned -1 [0048.395] lstrlenW (lpString=".epsp") returned 5 [0048.395] lstrcmpiW (lpString1=".epsp", lpString2="].bmd") returned -1 [0048.395] lstrlenW (lpString=".erf") returned 4 [0048.395] lstrcmpiW (lpString1=".erf", lpString2=".bmd") returned 1 [0048.395] lstrlenW (lpString=".exr") returned 4 [0048.395] lstrcmpiW (lpString1=".exr", lpString2=".bmd") returned 1 [0048.395] lstrlenW (lpString=".f4v") returned 4 [0048.395] lstrcmpiW (lpString1=".f4v", lpString2=".bmd") returned 1 [0048.395] lstrlenW (lpString=".fido") returned 5 [0048.396] lstrcmpiW (lpString1=".fido", lpString2="].bmd") returned -1 [0048.396] lstrlenW (lpString=".flm") returned 4 [0048.396] lstrcmpiW (lpString1=".flm", lpString2=".bmd") returned 1 [0048.396] lstrlenW (lpString=".flv") returned 4 [0048.396] lstrcmpiW (lpString1=".flv", lpString2=".bmd") returned 1 [0048.396] lstrlenW (lpString=".frm") returned 4 [0048.396] lstrcmpiW (lpString1=".frm", lpString2=".bmd") returned 1 [0048.396] lstrlenW (lpString=".fxg") returned 4 [0048.396] lstrcmpiW (lpString1=".fxg", lpString2=".bmd") returned 1 [0048.396] lstrlenW (lpString=".geo") returned 4 [0048.396] lstrcmpiW (lpString1=".geo", lpString2=".bmd") returned 1 [0048.396] lstrlenW (lpString=".gif") returned 4 [0048.396] lstrcmpiW (lpString1=".gif", lpString2=".bmd") returned 1 [0048.396] lstrlenW (lpString=".grs") returned 4 [0048.396] lstrcmpiW (lpString1=".grs", lpString2=".bmd") returned 1 [0048.396] lstrlenW (lpString=".gz") returned 3 [0048.396] lstrcmpiW (lpString1=".gz", lpString2="bmd") returned -1 [0048.396] lstrlenW (lpString=".h") returned 2 [0048.396] lstrcmpiW (lpString1=".h", lpString2="md") returned -1 [0048.396] lstrlenW (lpString=".hdr") returned 4 [0048.396] lstrcmpiW (lpString1=".hdr", lpString2=".bmd") returned 1 [0048.396] lstrlenW (lpString=".hpp") returned 4 [0048.396] lstrcmpiW (lpString1=".hpp", lpString2=".bmd") returned 1 [0048.396] lstrlenW (lpString=".hta") returned 4 [0048.396] lstrcmpiW (lpString1=".hta", lpString2=".bmd") returned 1 [0048.396] lstrlenW (lpString=".htc") returned 4 [0048.397] lstrcmpiW (lpString1=".htc", lpString2=".bmd") returned 1 [0048.397] lstrlenW (lpString=".htm") returned 4 [0048.397] lstrcmpiW (lpString1=".htm", lpString2=".bmd") returned 1 [0048.397] lstrlenW (lpString=".html") returned 5 [0048.397] lstrcmpiW (lpString1=".html", lpString2="].bmd") returned -1 [0048.397] lstrlenW (lpString=".icb") returned 4 [0048.397] lstrcmpiW (lpString1=".icb", lpString2=".bmd") returned 1 [0048.397] lstrlenW (lpString=".ics") returned 4 [0048.397] lstrcmpiW (lpString1=".ics", lpString2=".bmd") returned 1 [0048.397] lstrlenW (lpString=".iff") returned 4 [0048.397] lstrcmpiW (lpString1=".iff", lpString2=".bmd") returned 1 [0048.397] lstrlenW (lpString=".inc") returned 4 [0048.397] lstrcmpiW (lpString1=".inc", lpString2=".bmd") returned 1 [0048.397] lstrlenW (lpString=".indd") returned 5 [0048.397] lstrcmpiW (lpString1=".indd", lpString2="].bmd") returned -1 [0048.397] lstrlenW (lpString=".ini") returned 4 [0048.397] lstrcmpiW (lpString1=".ini", lpString2=".bmd") returned 1 [0048.397] lstrlenW (lpString=".iqy") returned 4 [0048.397] lstrcmpiW (lpString1=".iqy", lpString2=".bmd") returned 1 [0048.397] lstrlenW (lpString=".j2c") returned 4 [0048.397] lstrcmpiW (lpString1=".j2c", lpString2=".bmd") returned 1 [0048.397] lstrlenW (lpString=".j2k") returned 4 [0048.397] lstrcmpiW (lpString1=".j2k", lpString2=".bmd") returned 1 [0048.397] lstrlenW (lpString=".java") returned 5 [0048.397] lstrcmpiW (lpString1=".java", lpString2="].bmd") returned -1 [0048.397] lstrlenW (lpString=".jp2") returned 4 [0048.398] lstrcmpiW (lpString1=".jp2", lpString2=".bmd") returned 1 [0048.398] lstrlenW (lpString=".jpc") returned 4 [0048.398] lstrcmpiW (lpString1=".jpc", lpString2=".bmd") returned 1 [0048.398] lstrlenW (lpString=".jpe") returned 4 [0048.398] lstrcmpiW (lpString1=".jpe", lpString2=".bmd") returned 1 [0048.398] lstrlenW (lpString=".jpeg") returned 5 [0048.398] lstrcmpiW (lpString1=".jpeg", lpString2="].bmd") returned -1 [0048.398] lstrlenW (lpString=".jpf") returned 4 [0048.398] lstrcmpiW (lpString1=".jpf", lpString2=".bmd") returned 1 [0048.398] lstrlenW (lpString=".jpg") returned 4 [0048.398] lstrcmpiW (lpString1=".jpg", lpString2=".bmd") returned 1 [0048.398] lstrlenW (lpString=".jpx") returned 4 [0048.398] lstrcmpiW (lpString1=".jpx", lpString2=".bmd") returned 1 [0048.398] lstrlenW (lpString=".js") returned 3 [0048.398] lstrcmpiW (lpString1=".js", lpString2="bmd") returned -1 [0048.398] lstrlenW (lpString=".jsf") returned 4 [0048.398] lstrcmpiW (lpString1=".jsf", lpString2=".bmd") returned 1 [0048.398] lstrlenW (lpString=".json") returned 5 [0048.398] lstrcmpiW (lpString1=".json", lpString2="].bmd") returned -1 [0048.398] lstrlenW (lpString=".jsp") returned 4 [0048.398] lstrcmpiW (lpString1=".jsp", lpString2=".bmd") returned 1 [0048.398] lstrlenW (lpString=".kdc") returned 4 [0048.398] lstrcmpiW (lpString1=".kdc", lpString2=".bmd") returned 1 [0048.398] lstrlenW (lpString=".kmz") returned 4 [0048.398] lstrcmpiW (lpString1=".kmz", lpString2=".bmd") returned 1 [0048.399] lstrlenW (lpString=".kwm") returned 4 [0048.399] lstrcmpiW (lpString1=".kwm", lpString2=".bmd") returned 1 [0048.399] lstrlenW (lpString=".lasso") returned 6 [0048.399] lstrcmpiW (lpString1=".lasso", lpString2="m].bmd") returned -1 [0048.399] lstrlenW (lpString=".lbi") returned 4 [0048.399] lstrcmpiW (lpString1=".lbi", lpString2=".bmd") returned 1 [0048.399] lstrlenW (lpString=".lgf") returned 4 [0048.399] lstrcmpiW (lpString1=".lgf", lpString2=".bmd") returned 1 [0048.399] lstrlenW (lpString=".lgp") returned 4 [0048.399] lstrcmpiW (lpString1=".lgp", lpString2=".bmd") returned 1 [0048.399] lstrlenW (lpString=".log") returned 4 [0048.399] lstrcmpiW (lpString1=".log", lpString2=".bmd") returned 1 [0048.399] lstrlenW (lpString=".m1v") returned 4 [0048.399] lstrcmpiW (lpString1=".m1v", lpString2=".bmd") returned 1 [0048.399] lstrlenW (lpString=".m4a") returned 4 [0048.399] lstrcmpiW (lpString1=".m4a", lpString2=".bmd") returned 1 [0048.399] lstrlenW (lpString=".m4v") returned 4 [0048.399] lstrcmpiW (lpString1=".m4v", lpString2=".bmd") returned 1 [0048.399] lstrlenW (lpString=".max") returned 4 [0048.399] lstrcmpiW (lpString1=".max", lpString2=".bmd") returned 1 [0048.399] lstrlenW (lpString=".md") returned 3 [0048.399] lstrcmpiW (lpString1=".md", lpString2="bmd") returned -1 [0048.399] lstrlenW (lpString=".mda") returned 4 [0048.399] lstrcmpiW (lpString1=".mda", lpString2=".bmd") returned 1 [0048.399] lstrlenW (lpString=".mdb") returned 4 [0048.399] lstrcmpiW (lpString1=".mdb", lpString2=".bmd") returned 1 [0048.399] lstrlenW (lpString=".mde") returned 4 [0048.400] lstrcmpiW (lpString1=".mde", lpString2=".bmd") returned 1 [0048.400] lstrlenW (lpString=".mdf") returned 4 [0048.400] lstrcmpiW (lpString1=".mdf", lpString2=".bmd") returned 1 [0048.400] lstrlenW (lpString=".mdw") returned 4 [0048.400] lstrcmpiW (lpString1=".mdw", lpString2=".bmd") returned 1 [0048.400] lstrlenW (lpString=".mef") returned 4 [0048.400] lstrcmpiW (lpString1=".mef", lpString2=".bmd") returned 1 [0048.400] lstrlenW (lpString=".mft") returned 4 [0048.400] lstrcmpiW (lpString1=".mft", lpString2=".bmd") returned 1 [0048.400] lstrlenW (lpString=".mfw") returned 4 [0048.400] lstrcmpiW (lpString1=".mfw", lpString2=".bmd") returned 1 [0048.400] lstrlenW (lpString=".mht") returned 4 [0048.400] lstrcmpiW (lpString1=".mht", lpString2=".bmd") returned 1 [0048.400] lstrlenW (lpString=".mhtml") returned 6 [0048.400] lstrcmpiW (lpString1=".mhtml", lpString2="m].bmd") returned -1 [0048.400] lstrlenW (lpString=".mka") returned 4 [0048.400] lstrcmpiW (lpString1=".mka", lpString2=".bmd") returned 1 [0048.400] lstrlenW (lpString=".mkidx") returned 6 [0048.400] lstrcmpiW (lpString1=".mkidx", lpString2="m].bmd") returned -1 [0048.400] lstrlenW (lpString=".mkv") returned 4 [0048.400] lstrcmpiW (lpString1=".mkv", lpString2=".bmd") returned 1 [0048.400] lstrlenW (lpString=".mos") returned 4 [0048.400] lstrcmpiW (lpString1=".mos", lpString2=".bmd") returned 1 [0048.400] lstrlenW (lpString=".mov") returned 4 [0048.400] lstrcmpiW (lpString1=".mov", lpString2=".bmd") returned 1 [0048.401] lstrlenW (lpString=".mp3") returned 4 [0048.401] lstrcmpiW (lpString1=".mp3", lpString2=".bmd") returned 1 [0048.401] lstrlenW (lpString=".mp4") returned 4 [0048.401] lstrcmpiW (lpString1=".mp4", lpString2=".bmd") returned 1 [0048.401] lstrlenW (lpString=".mpeg") returned 5 [0048.401] lstrcmpiW (lpString1=".mpeg", lpString2="].bmd") returned -1 [0048.401] lstrlenW (lpString=".mpg") returned 4 [0048.401] lstrcmpiW (lpString1=".mpg", lpString2=".bmd") returned 1 [0048.401] lstrlenW (lpString=".mpv") returned 4 [0048.401] lstrcmpiW (lpString1=".mpv", lpString2=".bmd") returned 1 [0048.401] lstrlenW (lpString=".mrw") returned 4 [0048.401] lstrcmpiW (lpString1=".mrw", lpString2=".bmd") returned 1 [0048.401] lstrlenW (lpString=".msg") returned 4 [0048.401] lstrcmpiW (lpString1=".msg", lpString2=".bmd") returned 1 [0048.402] lstrlenW (lpString=".mxl") returned 4 [0048.402] lstrcmpiW (lpString1=".mxl", lpString2=".bmd") returned 1 [0048.402] lstrlenW (lpString=".myd") returned 4 [0048.402] lstrcmpiW (lpString1=".myd", lpString2=".bmd") returned 1 [0048.402] lstrlenW (lpString=".myi") returned 4 [0048.402] lstrcmpiW (lpString1=".myi", lpString2=".bmd") returned 1 [0048.402] lstrlenW (lpString=".nef") returned 4 [0048.402] lstrcmpiW (lpString1=".nef", lpString2=".bmd") returned 1 [0048.402] lstrlenW (lpString=".nrw") returned 4 [0048.402] lstrcmpiW (lpString1=".nrw", lpString2=".bmd") returned 1 [0048.402] lstrlenW (lpString=".obj") returned 4 [0048.402] lstrcmpiW (lpString1=".obj", lpString2=".bmd") returned 1 [0048.402] lstrlenW (lpString=".odb") returned 4 [0048.402] lstrcmpiW (lpString1=".odb", lpString2=".bmd") returned 1 [0048.402] lstrlenW (lpString=".odc") returned 4 [0048.402] lstrcmpiW (lpString1=".odc", lpString2=".bmd") returned 1 [0048.402] lstrlenW (lpString=".odm") returned 4 [0048.402] lstrcmpiW (lpString1=".odm", lpString2=".bmd") returned 1 [0048.402] lstrlenW (lpString=".odp") returned 4 [0048.402] lstrcmpiW (lpString1=".odp", lpString2=".bmd") returned 1 [0048.402] lstrlenW (lpString=".ods") returned 4 [0048.402] lstrcmpiW (lpString1=".ods", lpString2=".bmd") returned 1 [0048.402] lstrlenW (lpString=".oft") returned 4 [0048.402] lstrcmpiW (lpString1=".oft", lpString2=".bmd") returned 1 [0048.402] lstrlenW (lpString=".one") returned 4 [0048.402] lstrcmpiW (lpString1=".one", lpString2=".bmd") returned 1 [0048.403] lstrlenW (lpString=".onepkg") returned 7 [0048.403] lstrcmpiW (lpString1=".onepkg", lpString2="om].bmd") returned -1 [0048.403] lstrlenW (lpString=".onetoc2") returned 8 [0048.403] lstrcmpiW (lpString1=".onetoc2", lpString2="com].bmd") returned -1 [0048.403] lstrlenW (lpString=".opt") returned 4 [0048.403] lstrcmpiW (lpString1=".opt", lpString2=".bmd") returned 1 [0048.403] lstrlenW (lpString=".oqy") returned 4 [0048.403] lstrcmpiW (lpString1=".oqy", lpString2=".bmd") returned 1 [0048.403] lstrlenW (lpString=".orf") returned 4 [0048.403] lstrcmpiW (lpString1=".orf", lpString2=".bmd") returned 1 [0048.403] lstrlenW (lpString=".p12") returned 4 [0048.403] lstrcmpiW (lpString1=".p12", lpString2=".bmd") returned 1 [0048.403] lstrlenW (lpString=".p7b") returned 4 [0048.403] lstrcmpiW (lpString1=".p7b", lpString2=".bmd") returned 1 [0048.403] lstrlenW (lpString=".p7c") returned 4 [0048.403] lstrcmpiW (lpString1=".p7c", lpString2=".bmd") returned 1 [0048.403] lstrlenW (lpString=".pam") returned 4 [0048.403] lstrcmpiW (lpString1=".pam", lpString2=".bmd") returned 1 [0048.403] lstrlenW (lpString=".pbm") returned 4 [0048.403] lstrcmpiW (lpString1=".pbm", lpString2=".bmd") returned 1 [0048.403] lstrlenW (lpString=".pct") returned 4 [0048.403] lstrcmpiW (lpString1=".pct", lpString2=".bmd") returned 1 [0048.403] lstrlenW (lpString=".pcx") returned 4 [0048.403] lstrcmpiW (lpString1=".pcx", lpString2=".bmd") returned 1 [0048.403] lstrlenW (lpString=".pdd") returned 4 [0048.403] lstrcmpiW (lpString1=".pdd", lpString2=".bmd") returned 1 [0048.404] lstrlenW (lpString=".pdf") returned 4 [0048.404] lstrcmpiW (lpString1=".pdf", lpString2=".bmd") returned 1 [0048.404] lstrlenW (lpString=".pdp") returned 4 [0048.404] lstrcmpiW (lpString1=".pdp", lpString2=".bmd") returned 1 [0048.404] lstrlenW (lpString=".pef") returned 4 [0048.404] lstrcmpiW (lpString1=".pef", lpString2=".bmd") returned 1 [0048.404] lstrlenW (lpString=".pem") returned 4 [0048.404] lstrcmpiW (lpString1=".pem", lpString2=".bmd") returned 1 [0048.404] lstrlenW (lpString=".pff") returned 4 [0048.404] lstrcmpiW (lpString1=".pff", lpString2=".bmd") returned 1 [0048.404] lstrlenW (lpString=".pfm") returned 4 [0048.404] lstrcmpiW (lpString1=".pfm", lpString2=".bmd") returned 1 [0048.404] lstrlenW (lpString=".pfx") returned 4 [0048.404] lstrcmpiW (lpString1=".pfx", lpString2=".bmd") returned 1 [0048.404] lstrlenW (lpString=".pgm") returned 4 [0048.404] lstrcmpiW (lpString1=".pgm", lpString2=".bmd") returned 1 [0048.404] lstrlenW (lpString=".php") returned 4 [0048.404] lstrcmpiW (lpString1=".php", lpString2=".bmd") returned 1 [0048.404] lstrlenW (lpString=".php3") returned 5 [0048.404] lstrcmpiW (lpString1=".php3", lpString2="].bmd") returned -1 [0048.404] lstrlenW (lpString=".php4") returned 5 [0048.404] lstrcmpiW (lpString1=".php4", lpString2="].bmd") returned -1 [0048.404] lstrlenW (lpString=".php5") returned 5 [0048.404] lstrcmpiW (lpString1=".php5", lpString2="].bmd") returned -1 [0048.404] lstrlenW (lpString=".phtml") returned 6 [0048.404] lstrcmpiW (lpString1=".phtml", lpString2="m].bmd") returned -1 [0048.405] lstrlenW (lpString=".pict") returned 5 [0048.405] lstrcmpiW (lpString1=".pict", lpString2="].bmd") returned -1 [0048.405] lstrlenW (lpString=".pl") returned 3 [0048.405] lstrcmpiW (lpString1=".pl", lpString2="bmd") returned -1 [0048.405] lstrlenW (lpString=".pls") returned 4 [0048.405] lstrcmpiW (lpString1=".pls", lpString2=".bmd") returned 1 [0048.405] lstrlenW (lpString=".pm") returned 3 [0048.405] lstrcmpiW (lpString1=".pm", lpString2="bmd") returned -1 [0048.405] lstrlenW (lpString=".png") returned 4 [0048.405] lstrcmpiW (lpString1=".png", lpString2=".bmd") returned 1 [0048.405] lstrlenW (lpString=".pnm") returned 4 [0048.405] lstrcmpiW (lpString1=".pnm", lpString2=".bmd") returned 1 [0048.405] lstrlenW (lpString=".pot") returned 4 [0048.405] lstrcmpiW (lpString1=".pot", lpString2=".bmd") returned 1 [0048.405] lstrlenW (lpString=".potm") returned 5 [0048.405] lstrcmpiW (lpString1=".potm", lpString2="].bmd") returned -1 [0048.405] lstrlenW (lpString=".potx") returned 5 [0048.405] lstrcmpiW (lpString1=".potx", lpString2="].bmd") returned -1 [0048.405] lstrlenW (lpString=".ppa") returned 4 [0048.405] lstrcmpiW (lpString1=".ppa", lpString2=".bmd") returned 1 [0048.405] lstrlenW (lpString=".ppam") returned 5 [0048.405] lstrcmpiW (lpString1=".ppam", lpString2="].bmd") returned -1 [0048.405] lstrlenW (lpString=".ppm") returned 4 [0048.405] lstrcmpiW (lpString1=".ppm", lpString2=".bmd") returned 1 [0048.405] lstrlenW (lpString=".pps") returned 4 [0048.405] lstrcmpiW (lpString1=".pps", lpString2=".bmd") returned 1 [0048.406] lstrlenW (lpString=".ppsm") returned 5 [0048.406] lstrcmpiW (lpString1=".ppsm", lpString2="].bmd") returned -1 [0048.406] lstrlenW (lpString=".ppt") returned 4 [0048.406] lstrcmpiW (lpString1=".ppt", lpString2=".bmd") returned 1 [0048.406] lstrlenW (lpString=".pptm") returned 5 [0048.406] lstrcmpiW (lpString1=".pptm", lpString2="].bmd") returned -1 [0048.406] lstrlenW (lpString=".pptx") returned 5 [0048.406] lstrcmpiW (lpString1=".pptx", lpString2="].bmd") returned -1 [0048.406] lstrlenW (lpString=".prn") returned 4 [0048.406] lstrcmpiW (lpString1=".prn", lpString2=".bmd") returned 1 [0048.406] lstrlenW (lpString=".ps") returned 3 [0048.406] lstrcmpiW (lpString1=".ps", lpString2="bmd") returned -1 [0048.406] lstrlenW (lpString=".psb") returned 4 [0048.406] lstrcmpiW (lpString1=".psb", lpString2=".bmd") returned 1 [0048.406] lstrlenW (lpString=".psd") returned 4 [0048.406] lstrcmpiW (lpString1=".psd", lpString2=".bmd") returned 1 [0048.406] lstrlenW (lpString=".pst") returned 4 [0048.406] lstrcmpiW (lpString1=".pst", lpString2=".bmd") returned 1 [0048.406] lstrlenW (lpString=".ptx") returned 4 [0048.406] lstrcmpiW (lpString1=".ptx", lpString2=".bmd") returned 1 [0048.406] lstrlenW (lpString=".pub") returned 4 [0048.406] lstrcmpiW (lpString1=".pub", lpString2=".bmd") returned 1 [0048.406] lstrlenW (lpString=".pwm") returned 4 [0048.406] lstrcmpiW (lpString1=".pwm", lpString2=".bmd") returned 1 [0048.830] FindNextFileW (in: hFindFile=0x4011178, lpFindFileData=0x3baf58c | out: lpFindFileData=0x3baf58c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc112b50, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc112b50, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.830] FindNextFileW (in: hFindFile=0x4011178, lpFindFileData=0x3baf58c | out: lpFindFileData=0x3baf58c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc0c6890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc0c6890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Access.en-us", cAlternateFileName="ACCESS~1.EN-")) returned 1 [0048.831] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us") returned 1 [0048.831] lstrcmpiW (lpString1="C:\\Windows", lpString2="Access.en-us") returned 1 [0048.831] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x4022068 [0048.831] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\*", lpFindFileData=0x3baf310 | out: lpFindFileData=0x3baf310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc0c6890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc0c6890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x40111b8 [0048.832] FindNextFileW (in: hFindFile=0x40111b8, lpFindFileData=0x3baf310 | out: lpFindFileData=0x3baf310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc0c6890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc0c6890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.832] FindNextFileW (in: hFindFile=0x40111b8, lpFindFileData=0x3baf310 | out: lpFindFileData=0x3baf310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa623330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x266a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="AccessMUI.msi", cAlternateFileName="ACCESS~1.MSI")) returned 1 [0048.832] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0048.832] lstrcmpiW (lpString1=".3ds", lpString2=".msi") returned -1 [0048.832] FindNextFileW (in: hFindFile=0x40111b8, lpFindFileData=0x3baf310 | out: lpFindFileData=0x3baf310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa5fe940, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x545, dwReserved0=0x0, dwReserved1=0x0, cFileName="AccessMUI.xml", cAlternateFileName="ACCESS~1.XML")) returned 1 [0048.832] lstrlenW (lpString="AccessMUI.xml") returned 13 [0048.832] lstrlenW (lpString=".1cd") returned 4 [0048.833] FindClose (in: hFindFile=0x40111b8 | out: hFindFile=0x40111b8) returned 1 [0048.833] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x4022068 | out: hHeap=0x5f0000) returned 1 [0048.833] FindNextFileW (in: hFindFile=0x4011178, lpFindFileData=0x3baf58c | out: lpFindFileData=0x3baf58c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa160f00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd4200, dwReserved0=0x0, dwReserved1=0x0, cFileName="AccessMUISet.msi", cAlternateFileName="ACCESS~1.MSI")) returned 1 [0048.834] lstrlenW (lpString="AccessMUISet.msi") returned 16 [0048.834] lstrlenW (lpString=".1cd") returned 4 [0048.834] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0048.834] lstrlenW (lpString=".3ds") returned 4 [0048.834] lstrcmpiW (lpString1=".3ds", lpString2=".msi") returned -1 [0048.834] lstrlenW (lpString=".3fr") returned 4 [0048.834] lstrcmpiW (lpString1=".3fr", lpString2=".msi") returned -1 [0048.834] lstrlenW (lpString=".3g2") returned 4 [0048.834] lstrcmpiW (lpString1=".3g2", lpString2=".msi") returned -1 [0048.834] lstrlenW (lpString=".3gp") returned 4 [0048.834] lstrcmpiW (lpString1=".3gp", lpString2=".msi") returned -1 [0048.834] lstrlenW (lpString=".7z") returned 3 [0048.834] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0048.834] lstrlenW (lpString=".accda") returned 6 [0048.834] lstrcmpiW (lpString1=".accda", lpString2="et.msi") returned -1 [0048.834] lstrlenW (lpString=".accdb") returned 6 [0048.834] lstrcmpiW (lpString1=".accdb", lpString2="et.msi") returned -1 [0048.834] lstrlenW (lpString=".accdc") returned 6 [0048.834] lstrcmpiW (lpString1=".accdc", lpString2="et.msi") returned -1 [0048.834] lstrlenW (lpString=".accde") returned 6 [0048.834] lstrcmpiW (lpString1=".accde", lpString2="et.msi") returned -1 [0048.834] lstrlenW (lpString=".accdt") returned 6 [0048.834] lstrcmpiW (lpString1=".accdt", lpString2="et.msi") returned -1 [0048.834] lstrlenW (lpString=".accdw") returned 6 [0048.834] lstrcmpiW (lpString1=".accdw", lpString2="et.msi") returned -1 [0048.834] lstrlenW (lpString=".adb") returned 4 [0048.834] lstrcmpiW (lpString1=".adb", lpString2=".msi") returned -1 [0048.835] lstrlenW (lpString=".adp") returned 4 [0048.835] lstrcmpiW (lpString1=".adp", lpString2=".msi") returned -1 [0048.835] lstrlenW (lpString=".ai") returned 3 [0048.835] lstrcmpiW (lpString1=".ai", lpString2="msi") returned -1 [0048.835] lstrlenW (lpString=".ai3") returned 4 [0048.835] lstrcmpiW (lpString1=".ai3", lpString2=".msi") returned -1 [0048.835] lstrlenW (lpString=".ai4") returned 4 [0048.835] lstrcmpiW (lpString1=".ai4", lpString2=".msi") returned -1 [0048.835] lstrlenW (lpString=".ai5") returned 4 [0048.835] lstrcmpiW (lpString1=".ai5", lpString2=".msi") returned -1 [0048.835] lstrlenW (lpString=".ai6") returned 4 [0048.835] lstrcmpiW (lpString1=".ai6", lpString2=".msi") returned -1 [0048.835] lstrlenW (lpString=".ai7") returned 4 [0048.835] lstrcmpiW (lpString1=".ai7", lpString2=".msi") returned -1 [0048.835] lstrlenW (lpString=".ai8") returned 4 [0048.835] lstrcmpiW (lpString1=".ai8", lpString2=".msi") returned -1 [0048.835] lstrlenW (lpString=".anim") returned 5 [0048.835] lstrcmpiW (lpString1=".anim", lpString2="t.msi") returned -1 [0048.835] lstrlenW (lpString=".arw") returned 4 [0048.835] lstrcmpiW (lpString1=".arw", lpString2=".msi") returned -1 [0048.835] lstrlenW (lpString=".as") returned 3 [0048.835] lstrcmpiW (lpString1=".as", lpString2="msi") returned -1 [0048.835] lstrlenW (lpString=".asa") returned 4 [0048.835] lstrcmpiW (lpString1=".asa", lpString2=".msi") returned -1 [0048.835] lstrlenW (lpString=".asc") returned 4 [0048.835] lstrcmpiW (lpString1=".asc", lpString2=".msi") returned -1 [0048.835] lstrlenW (lpString=".ascx") returned 5 [0048.835] lstrcmpiW (lpString1=".ascx", lpString2="t.msi") returned -1 [0048.835] lstrlenW (lpString=".asm") returned 4 [0048.835] lstrcmpiW (lpString1=".asm", lpString2=".msi") returned -1 [0048.835] lstrlenW (lpString=".asmx") returned 5 [0048.836] lstrcmpiW (lpString1=".asmx", lpString2="t.msi") returned -1 [0048.836] lstrlenW (lpString=".asp") returned 4 [0048.836] lstrcmpiW (lpString1=".asp", lpString2=".msi") returned -1 [0048.836] lstrlenW (lpString=".aspx") returned 5 [0048.836] lstrcmpiW (lpString1=".aspx", lpString2="t.msi") returned -1 [0048.836] lstrlenW (lpString=".asr") returned 4 [0048.836] lstrcmpiW (lpString1=".asr", lpString2=".msi") returned -1 [0048.836] lstrlenW (lpString=".asx") returned 4 [0048.836] lstrcmpiW (lpString1=".asx", lpString2=".msi") returned -1 [0048.836] lstrlenW (lpString=".avi") returned 4 [0048.836] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0048.836] lstrlenW (lpString=".avs") returned 4 [0048.836] lstrcmpiW (lpString1=".avs", lpString2=".msi") returned -1 [0048.836] lstrlenW (lpString=".backup") returned 7 [0048.836] lstrcmpiW (lpString1=".backup", lpString2="Set.msi") returned -1 [0048.836] lstrlenW (lpString=".bak") returned 4 [0048.836] lstrcmpiW (lpString1=".bak", lpString2=".msi") returned -1 [0048.836] lstrlenW (lpString=".bay") returned 4 [0048.836] lstrcmpiW (lpString1=".bay", lpString2=".msi") returned -1 [0048.836] lstrlenW (lpString=".bd") returned 3 [0048.836] lstrcmpiW (lpString1=".bd", lpString2="msi") returned -1 [0048.836] lstrlenW (lpString=".bin") returned 4 [0048.836] lstrcmpiW (lpString1=".bin", lpString2=".msi") returned -1 [0048.836] lstrlenW (lpString=".bmp") returned 4 [0048.836] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0048.836] lstrlenW (lpString=".bz2") returned 4 [0048.836] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0048.836] lstrlenW (lpString=".c") returned 2 [0048.836] lstrcmpiW (lpString1=".c", lpString2="si") returned -1 [0048.836] lstrlenW (lpString=".cdr") returned 4 [0048.836] lstrcmpiW (lpString1=".cdr", lpString2=".msi") returned -1 [0048.836] lstrlenW (lpString=".cer") returned 4 [0048.836] lstrcmpiW (lpString1=".cer", lpString2=".msi") returned -1 [0048.837] lstrlenW (lpString=".cf") returned 3 [0048.837] lstrcmpiW (lpString1=".cf", lpString2="msi") returned -1 [0048.837] lstrlenW (lpString=".cfc") returned 4 [0048.837] lstrcmpiW (lpString1=".cfc", lpString2=".msi") returned -1 [0048.837] lstrlenW (lpString=".cfm") returned 4 [0048.837] lstrcmpiW (lpString1=".cfm", lpString2=".msi") returned -1 [0048.837] lstrlenW (lpString=".cfml") returned 5 [0048.837] lstrcmpiW (lpString1=".cfml", lpString2="t.msi") returned -1 [0048.837] lstrlenW (lpString=".cfu") returned 4 [0048.837] lstrcmpiW (lpString1=".cfu", lpString2=".msi") returned -1 [0048.837] lstrlenW (lpString=".chm") returned 4 [0048.837] lstrcmpiW (lpString1=".chm", lpString2=".msi") returned -1 [0048.837] lstrlenW (lpString=".cin") returned 4 [0048.837] lstrcmpiW (lpString1=".cin", lpString2=".msi") returned -1 [0048.837] lstrlenW (lpString=".class") returned 6 [0048.837] lstrcmpiW (lpString1=".class", lpString2="et.msi") returned -1 [0048.837] lstrlenW (lpString=".clx") returned 4 [0048.837] lstrcmpiW (lpString1=".clx", lpString2=".msi") returned -1 [0048.837] lstrlenW (lpString=".config") returned 7 [0048.837] lstrcmpiW (lpString1=".config", lpString2="Set.msi") returned -1 [0048.837] lstrlenW (lpString=".cpp") returned 4 [0048.837] lstrcmpiW (lpString1=".cpp", lpString2=".msi") returned -1 [0048.837] lstrlenW (lpString=".cr2") returned 4 [0048.837] lstrcmpiW (lpString1=".cr2", lpString2=".msi") returned -1 [0048.938] lstrlenW (lpString=".crt") returned 4 [0048.938] lstrcmpiW (lpString1=".crt", lpString2=".msi") returned -1 [0048.938] lstrlenW (lpString=".crw") returned 4 [0048.938] lstrcmpiW (lpString1=".crw", lpString2=".msi") returned -1 [0048.938] lstrlenW (lpString=".cs") returned 3 [0048.938] lstrcmpiW (lpString1=".cs", lpString2="msi") returned -1 [0048.938] lstrlenW (lpString=".css") returned 4 [0048.938] lstrcmpiW (lpString1=".css", lpString2=".msi") returned -1 [0048.938] lstrlenW (lpString=".csv") returned 4 [0048.938] lstrcmpiW (lpString1=".csv", lpString2=".msi") returned -1 [0048.938] lstrlenW (lpString=".cub") returned 4 [0048.938] lstrcmpiW (lpString1=".cub", lpString2=".msi") returned -1 [0048.938] lstrlenW (lpString=".dae") returned 4 [0048.938] lstrcmpiW (lpString1=".dae", lpString2=".msi") returned -1 [0048.939] lstrlenW (lpString=".dat") returned 4 [0048.939] lstrcmpiW (lpString1=".dat", lpString2=".msi") returned -1 [0048.939] lstrlenW (lpString=".db") returned 3 [0048.939] lstrcmpiW (lpString1=".db", lpString2="msi") returned -1 [0048.939] lstrlenW (lpString=".dbf") returned 4 [0048.939] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0048.939] lstrlenW (lpString=".dbx") returned 4 [0048.939] lstrcmpiW (lpString1=".dbx", lpString2=".msi") returned -1 [0048.939] lstrlenW (lpString=".dc3") returned 4 [0048.939] lstrcmpiW (lpString1=".dc3", lpString2=".msi") returned -1 [0048.939] lstrlenW (lpString=".dcm") returned 4 [0048.939] lstrcmpiW (lpString1=".dcm", lpString2=".msi") returned -1 [0048.939] lstrlenW (lpString=".dcr") returned 4 [0048.939] lstrcmpiW (lpString1=".dcr", lpString2=".msi") returned -1 [0048.939] lstrlenW (lpString=".der") returned 4 [0048.939] lstrcmpiW (lpString1=".der", lpString2=".msi") returned -1 [0048.939] lstrlenW (lpString=".dib") returned 4 [0048.939] lstrcmpiW (lpString1=".dib", lpString2=".msi") returned -1 [0048.939] lstrlenW (lpString=".dic") returned 4 [0048.939] lstrcmpiW (lpString1=".dic", lpString2=".msi") returned -1 [0048.939] lstrlenW (lpString=".dif") returned 4 [0048.939] lstrcmpiW (lpString1=".dif", lpString2=".msi") returned -1 [0048.939] lstrlenW (lpString=".divx") returned 5 [0048.939] lstrcmpiW (lpString1=".divx", lpString2="t.msi") returned -1 [0048.939] lstrlenW (lpString=".djvu") returned 5 [0048.939] lstrcmpiW (lpString1=".djvu", lpString2="t.msi") returned -1 [0048.939] lstrlenW (lpString=".dng") returned 4 [0048.939] lstrcmpiW (lpString1=".dng", lpString2=".msi") returned -1 [0048.939] lstrlenW (lpString=".doc") returned 4 [0048.939] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0048.939] lstrlenW (lpString=".docm") returned 5 [0048.939] lstrcmpiW (lpString1=".docm", lpString2="t.msi") returned -1 [0048.939] lstrlenW (lpString=".docx") returned 5 [0048.939] lstrcmpiW (lpString1=".docx", lpString2="t.msi") returned -1 [0048.940] lstrlenW (lpString=".dot") returned 4 [0048.940] lstrcmpiW (lpString1=".dot", lpString2=".msi") returned -1 [0048.940] lstrlenW (lpString=".dotm") returned 5 [0048.940] lstrcmpiW (lpString1=".dotm", lpString2="t.msi") returned -1 [0048.940] lstrlenW (lpString=".dotx") returned 5 [0048.940] lstrcmpiW (lpString1=".dotx", lpString2="t.msi") returned -1 [0048.940] lstrlenW (lpString=".dpx") returned 4 [0048.940] lstrcmpiW (lpString1=".dpx", lpString2=".msi") returned -1 [0048.940] lstrlenW (lpString=".dqy") returned 4 [0048.940] lstrcmpiW (lpString1=".dqy", lpString2=".msi") returned -1 [0048.940] lstrlenW (lpString=".dsn") returned 4 [0048.940] lstrcmpiW (lpString1=".dsn", lpString2=".msi") returned -1 [0048.940] lstrlenW (lpString=".dt") returned 3 [0048.940] lstrcmpiW (lpString1=".dt", lpString2="msi") returned -1 [0048.940] lstrlenW (lpString=".dtd") returned 4 [0048.940] lstrcmpiW (lpString1=".dtd", lpString2=".msi") returned -1 [0048.940] lstrlenW (lpString=".dwg") returned 4 [0048.940] lstrcmpiW (lpString1=".dwg", lpString2=".msi") returned -1 [0048.940] lstrlenW (lpString=".dwt") returned 4 [0048.940] lstrcmpiW (lpString1=".dwt", lpString2=".msi") returned -1 [0048.940] lstrlenW (lpString=".dx") returned 3 [0048.940] lstrcmpiW (lpString1=".dx", lpString2="msi") returned -1 [0048.940] lstrlenW (lpString=".dxf") returned 4 [0048.940] lstrcmpiW (lpString1=".dxf", lpString2=".msi") returned -1 [0048.940] lstrlenW (lpString=".edml") returned 5 [0048.940] lstrcmpiW (lpString1=".edml", lpString2="t.msi") returned -1 [0048.940] lstrlenW (lpString=".efd") returned 4 [0048.940] lstrcmpiW (lpString1=".efd", lpString2=".msi") returned -1 [0048.940] lstrlenW (lpString=".elf") returned 4 [0048.940] lstrcmpiW (lpString1=".elf", lpString2=".msi") returned -1 [0048.940] lstrlenW (lpString=".emf") returned 4 [0048.940] lstrcmpiW (lpString1=".emf", lpString2=".msi") returned -1 [0048.940] lstrlenW (lpString=".emz") returned 4 [0048.940] lstrcmpiW (lpString1=".emz", lpString2=".msi") returned -1 [0048.941] lstrlenW (lpString=".epf") returned 4 [0048.941] lstrcmpiW (lpString1=".epf", lpString2=".msi") returned -1 [0048.941] lstrlenW (lpString=".eps") returned 4 [0048.941] lstrcmpiW (lpString1=".eps", lpString2=".msi") returned -1 [0048.941] lstrlenW (lpString=".epsf") returned 5 [0048.941] lstrcmpiW (lpString1=".epsf", lpString2="t.msi") returned -1 [0048.941] lstrlenW (lpString=".epsp") returned 5 [0048.941] lstrcmpiW (lpString1=".epsp", lpString2="t.msi") returned -1 [0048.941] lstrlenW (lpString=".erf") returned 4 [0048.941] lstrcmpiW (lpString1=".erf", lpString2=".msi") returned -1 [0048.941] lstrlenW (lpString=".exr") returned 4 [0048.941] lstrcmpiW (lpString1=".exr", lpString2=".msi") returned -1 [0048.941] lstrlenW (lpString=".f4v") returned 4 [0048.941] lstrcmpiW (lpString1=".f4v", lpString2=".msi") returned -1 [0048.941] lstrlenW (lpString=".fido") returned 5 [0048.941] lstrcmpiW (lpString1=".fido", lpString2="t.msi") returned -1 [0048.941] lstrlenW (lpString=".flm") returned 4 [0048.941] lstrcmpiW (lpString1=".flm", lpString2=".msi") returned -1 [0048.941] lstrlenW (lpString=".flv") returned 4 [0048.941] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0048.941] lstrlenW (lpString=".frm") returned 4 [0048.941] lstrcmpiW (lpString1=".frm", lpString2=".msi") returned -1 [0048.941] lstrlenW (lpString=".fxg") returned 4 [0048.941] lstrcmpiW (lpString1=".fxg", lpString2=".msi") returned -1 [0048.941] lstrlenW (lpString=".geo") returned 4 [0048.941] lstrcmpiW (lpString1=".geo", lpString2=".msi") returned -1 [0048.941] lstrlenW (lpString=".gif") returned 4 [0048.941] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0048.941] lstrlenW (lpString=".grs") returned 4 [0048.941] lstrcmpiW (lpString1=".grs", lpString2=".msi") returned -1 [0048.941] lstrlenW (lpString=".gz") returned 3 [0048.941] lstrcmpiW (lpString1=".gz", lpString2="msi") returned -1 [0048.941] lstrlenW (lpString=".h") returned 2 [0048.941] lstrcmpiW (lpString1=".h", lpString2="si") returned -1 [0048.942] lstrlenW (lpString=".hdr") returned 4 [0048.942] lstrcmpiW (lpString1=".hdr", lpString2=".msi") returned -1 [0048.942] lstrlenW (lpString=".hpp") returned 4 [0048.942] lstrcmpiW (lpString1=".hpp", lpString2=".msi") returned -1 [0048.942] lstrlenW (lpString=".hta") returned 4 [0048.942] lstrcmpiW (lpString1=".hta", lpString2=".msi") returned -1 [0048.942] lstrlenW (lpString=".htc") returned 4 [0048.942] lstrcmpiW (lpString1=".htc", lpString2=".msi") returned -1 [0048.942] lstrlenW (lpString=".htm") returned 4 [0048.942] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0048.942] lstrlenW (lpString=".html") returned 5 [0048.942] lstrcmpiW (lpString1=".html", lpString2="t.msi") returned -1 [0048.942] lstrlenW (lpString=".icb") returned 4 [0048.942] lstrcmpiW (lpString1=".icb", lpString2=".msi") returned -1 [0048.942] lstrlenW (lpString=".ics") returned 4 [0048.942] lstrcmpiW (lpString1=".ics", lpString2=".msi") returned -1 [0048.942] lstrlenW (lpString=".iff") returned 4 [0048.942] lstrcmpiW (lpString1=".iff", lpString2=".msi") returned -1 [0048.942] lstrlenW (lpString=".inc") returned 4 [0048.942] lstrcmpiW (lpString1=".inc", lpString2=".msi") returned -1 [0048.942] lstrlenW (lpString=".indd") returned 5 [0048.942] lstrcmpiW (lpString1=".indd", lpString2="t.msi") returned -1 [0048.942] lstrlenW (lpString=".ini") returned 4 [0048.942] lstrcmpiW (lpString1=".ini", lpString2=".msi") returned -1 [0048.942] lstrlenW (lpString=".iqy") returned 4 [0048.942] lstrcmpiW (lpString1=".iqy", lpString2=".msi") returned -1 [0048.942] lstrlenW (lpString=".j2c") returned 4 [0048.942] lstrcmpiW (lpString1=".j2c", lpString2=".msi") returned -1 [0048.942] lstrlenW (lpString=".j2k") returned 4 [0048.942] lstrcmpiW (lpString1=".j2k", lpString2=".msi") returned -1 [0048.942] lstrlenW (lpString=".java") returned 5 [0048.942] lstrcmpiW (lpString1=".java", lpString2="t.msi") returned -1 [0048.942] lstrlenW (lpString=".jp2") returned 4 [0048.942] lstrcmpiW (lpString1=".jp2", lpString2=".msi") returned -1 [0048.943] lstrlenW (lpString=".jpc") returned 4 [0048.943] lstrcmpiW (lpString1=".jpc", lpString2=".msi") returned -1 [0048.943] lstrlenW (lpString=".jpe") returned 4 [0048.943] lstrcmpiW (lpString1=".jpe", lpString2=".msi") returned -1 [0048.943] lstrlenW (lpString=".jpeg") returned 5 [0048.943] lstrcmpiW (lpString1=".jpeg", lpString2="t.msi") returned -1 [0048.943] lstrlenW (lpString=".jpf") returned 4 [0048.943] lstrcmpiW (lpString1=".jpf", lpString2=".msi") returned -1 [0048.943] lstrlenW (lpString=".jpg") returned 4 [0048.943] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0048.943] lstrlenW (lpString=".jpx") returned 4 [0048.943] lstrcmpiW (lpString1=".jpx", lpString2=".msi") returned -1 [0048.943] lstrlenW (lpString=".js") returned 3 [0048.943] lstrcmpiW (lpString1=".js", lpString2="msi") returned -1 [0048.943] lstrlenW (lpString=".jsf") returned 4 [0048.943] lstrcmpiW (lpString1=".jsf", lpString2=".msi") returned -1 [0048.943] lstrlenW (lpString=".json") returned 5 [0048.943] lstrcmpiW (lpString1=".json", lpString2="t.msi") returned -1 [0048.943] lstrlenW (lpString=".jsp") returned 4 [0048.943] lstrcmpiW (lpString1=".jsp", lpString2=".msi") returned -1 [0048.943] lstrlenW (lpString=".kdc") returned 4 [0048.943] lstrcmpiW (lpString1=".kdc", lpString2=".msi") returned -1 [0048.943] lstrlenW (lpString=".kmz") returned 4 [0048.943] lstrcmpiW (lpString1=".kmz", lpString2=".msi") returned -1 [0048.943] lstrlenW (lpString=".kwm") returned 4 [0048.943] lstrcmpiW (lpString1=".kwm", lpString2=".msi") returned -1 [0048.943] lstrlenW (lpString=".lasso") returned 6 [0048.943] lstrcmpiW (lpString1=".lasso", lpString2="et.msi") returned -1 [0048.943] lstrlenW (lpString=".lbi") returned 4 [0048.943] lstrcmpiW (lpString1=".lbi", lpString2=".msi") returned -1 [0048.943] lstrlenW (lpString=".lgf") returned 4 [0048.943] lstrcmpiW (lpString1=".lgf", lpString2=".msi") returned -1 [0048.943] lstrlenW (lpString=".lgp") returned 4 [0048.943] lstrcmpiW (lpString1=".lgp", lpString2=".msi") returned -1 [0048.944] lstrlenW (lpString=".log") returned 4 [0048.944] lstrcmpiW (lpString1=".log", lpString2=".msi") returned -1 [0048.944] lstrlenW (lpString=".m1v") returned 4 [0048.944] lstrcmpiW (lpString1=".m1v", lpString2=".msi") returned -1 [0048.944] lstrlenW (lpString=".m4a") returned 4 [0048.944] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0048.944] lstrlenW (lpString=".m4v") returned 4 [0048.944] lstrcmpiW (lpString1=".m4v", lpString2=".msi") returned -1 [0048.944] lstrlenW (lpString=".max") returned 4 [0048.944] lstrcmpiW (lpString1=".max", lpString2=".msi") returned -1 [0048.944] lstrlenW (lpString=".md") returned 3 [0048.944] lstrcmpiW (lpString1=".md", lpString2="msi") returned -1 [0048.944] lstrlenW (lpString=".mda") returned 4 [0048.944] lstrcmpiW (lpString1=".mda", lpString2=".msi") returned -1 [0048.944] lstrlenW (lpString=".mdb") returned 4 [0048.944] lstrcmpiW (lpString1=".mdb", lpString2=".msi") returned -1 [0048.944] lstrlenW (lpString=".mde") returned 4 [0048.944] lstrcmpiW (lpString1=".mde", lpString2=".msi") returned -1 [0048.944] lstrlenW (lpString=".mdf") returned 4 [0048.944] lstrcmpiW (lpString1=".mdf", lpString2=".msi") returned -1 [0048.944] lstrlenW (lpString=".mdw") returned 4 [0048.944] lstrcmpiW (lpString1=".mdw", lpString2=".msi") returned -1 [0048.944] lstrlenW (lpString=".mef") returned 4 [0048.944] lstrcmpiW (lpString1=".mef", lpString2=".msi") returned -1 [0048.944] lstrlenW (lpString=".mft") returned 4 [0048.944] lstrcmpiW (lpString1=".mft", lpString2=".msi") returned -1 [0048.944] lstrlenW (lpString=".mfw") returned 4 [0048.944] lstrcmpiW (lpString1=".mfw", lpString2=".msi") returned -1 [0048.944] lstrlenW (lpString=".mht") returned 4 [0048.944] lstrcmpiW (lpString1=".mht", lpString2=".msi") returned -1 [0048.944] lstrlenW (lpString=".mhtml") returned 6 [0048.944] lstrcmpiW (lpString1=".mhtml", lpString2="et.msi") returned -1 [0048.944] lstrlenW (lpString=".mka") returned 4 [0048.944] lstrcmpiW (lpString1=".mka", lpString2=".msi") returned -1 [0048.945] lstrlenW (lpString=".mkidx") returned 6 [0048.945] lstrcmpiW (lpString1=".mkidx", lpString2="et.msi") returned -1 [0048.945] lstrlenW (lpString=".mkv") returned 4 [0048.945] lstrcmpiW (lpString1=".mkv", lpString2=".msi") returned -1 [0048.945] lstrlenW (lpString=".mos") returned 4 [0048.945] lstrcmpiW (lpString1=".mos", lpString2=".msi") returned -1 [0048.945] lstrlenW (lpString=".mov") returned 4 [0048.945] lstrcmpiW (lpString1=".mov", lpString2=".msi") returned -1 [0048.945] lstrlenW (lpString=".mp3") returned 4 [0048.945] lstrcmpiW (lpString1=".mp3", lpString2=".msi") returned -1 [0048.945] lstrlenW (lpString=".mp4") returned 4 [0048.945] lstrcmpiW (lpString1=".mp4", lpString2=".msi") returned -1 [0048.945] lstrlenW (lpString=".mpeg") returned 5 [0048.945] lstrcmpiW (lpString1=".mpeg", lpString2="t.msi") returned -1 [0048.945] lstrlenW (lpString=".mpg") returned 4 [0048.945] lstrcmpiW (lpString1=".mpg", lpString2=".msi") returned -1 [0048.945] lstrlenW (lpString=".mpv") returned 4 [0048.945] lstrcmpiW (lpString1=".mpv", lpString2=".msi") returned -1 [0048.945] lstrlenW (lpString=".mrw") returned 4 [0048.945] lstrcmpiW (lpString1=".mrw", lpString2=".msi") returned -1 [0048.945] lstrlenW (lpString=".msg") returned 4 [0048.945] lstrcmpiW (lpString1=".msg", lpString2=".msi") returned -1 [0048.945] lstrlenW (lpString=".mxl") returned 4 [0048.945] lstrcmpiW (lpString1=".mxl", lpString2=".msi") returned 1 [0048.945] lstrlenW (lpString=".myd") returned 4 [0048.945] lstrcmpiW (lpString1=".myd", lpString2=".msi") returned 1 [0048.945] lstrlenW (lpString=".myi") returned 4 [0048.945] lstrcmpiW (lpString1=".myi", lpString2=".msi") returned 1 [0048.945] lstrlenW (lpString=".nef") returned 4 [0048.945] lstrcmpiW (lpString1=".nef", lpString2=".msi") returned 1 [0048.945] lstrlenW (lpString=".nrw") returned 4 [0048.945] lstrcmpiW (lpString1=".nrw", lpString2=".msi") returned 1 [0048.945] lstrlenW (lpString=".obj") returned 4 [0048.945] lstrcmpiW (lpString1=".obj", lpString2=".msi") returned 1 [0048.945] lstrlenW (lpString=".odb") returned 4 [0048.946] lstrcmpiW (lpString1=".odb", lpString2=".msi") returned 1 [0048.946] lstrlenW (lpString=".odc") returned 4 [0048.946] lstrcmpiW (lpString1=".odc", lpString2=".msi") returned 1 [0048.946] lstrlenW (lpString=".odm") returned 4 [0048.946] lstrcmpiW (lpString1=".odm", lpString2=".msi") returned 1 [0048.946] lstrlenW (lpString=".odp") returned 4 [0048.946] lstrcmpiW (lpString1=".odp", lpString2=".msi") returned 1 [0048.946] lstrlenW (lpString=".ods") returned 4 [0048.946] lstrcmpiW (lpString1=".ods", lpString2=".msi") returned 1 [0048.946] lstrlenW (lpString=".oft") returned 4 [0048.946] lstrcmpiW (lpString1=".oft", lpString2=".msi") returned 1 [0048.946] lstrlenW (lpString=".one") returned 4 [0048.946] lstrcmpiW (lpString1=".one", lpString2=".msi") returned 1 [0048.946] lstrlenW (lpString=".onepkg") returned 7 [0048.946] lstrcmpiW (lpString1=".onepkg", lpString2="Set.msi") returned -1 [0048.946] lstrlenW (lpString=".onetoc2") returned 8 [0048.946] lstrcmpiW (lpString1=".onetoc2", lpString2="ISet.msi") returned -1 [0048.946] lstrlenW (lpString=".opt") returned 4 [0048.946] lstrcmpiW (lpString1=".opt", lpString2=".msi") returned 1 [0048.946] lstrlenW (lpString=".oqy") returned 4 [0048.946] lstrcmpiW (lpString1=".oqy", lpString2=".msi") returned 1 [0048.946] lstrlenW (lpString=".orf") returned 4 [0048.946] lstrcmpiW (lpString1=".orf", lpString2=".msi") returned 1 [0048.946] lstrlenW (lpString=".p12") returned 4 [0048.946] lstrcmpiW (lpString1=".p12", lpString2=".msi") returned 1 [0048.946] lstrlenW (lpString=".p7b") returned 4 [0048.946] lstrcmpiW (lpString1=".p7b", lpString2=".msi") returned 1 [0048.946] lstrlenW (lpString=".p7c") returned 4 [0048.946] lstrcmpiW (lpString1=".p7c", lpString2=".msi") returned 1 [0048.946] lstrlenW (lpString=".pam") returned 4 [0048.946] lstrcmpiW (lpString1=".pam", lpString2=".msi") returned 1 [0048.946] lstrlenW (lpString=".pbm") returned 4 [0048.947] lstrcmpiW (lpString1=".pbm", lpString2=".msi") returned 1 [0048.947] lstrlenW (lpString=".pct") returned 4 [0048.947] lstrcmpiW (lpString1=".pct", lpString2=".msi") returned 1 [0048.947] lstrlenW (lpString=".pcx") returned 4 [0048.947] lstrcmpiW (lpString1=".pcx", lpString2=".msi") returned 1 [0048.947] lstrlenW (lpString=".pdd") returned 4 [0048.947] lstrcmpiW (lpString1=".pdd", lpString2=".msi") returned 1 [0048.947] lstrlenW (lpString=".pdf") returned 4 [0048.947] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0048.947] lstrlenW (lpString=".pdp") returned 4 [0048.947] lstrcmpiW (lpString1=".pdp", lpString2=".msi") returned 1 [0048.947] lstrlenW (lpString=".pef") returned 4 [0048.947] lstrcmpiW (lpString1=".pef", lpString2=".msi") returned 1 [0048.947] lstrlenW (lpString=".pem") returned 4 [0048.947] lstrcmpiW (lpString1=".pem", lpString2=".msi") returned 1 [0048.947] lstrlenW (lpString=".pff") returned 4 [0048.947] lstrcmpiW (lpString1=".pff", lpString2=".msi") returned 1 [0048.947] lstrlenW (lpString=".pfm") returned 4 [0048.947] lstrcmpiW (lpString1=".pfm", lpString2=".msi") returned 1 [0048.947] lstrlenW (lpString=".pfx") returned 4 [0048.947] lstrcmpiW (lpString1=".pfx", lpString2=".msi") returned 1 [0048.947] lstrlenW (lpString=".pgm") returned 4 [0048.947] lstrcmpiW (lpString1=".pgm", lpString2=".msi") returned 1 [0048.947] lstrlenW (lpString=".php") returned 4 [0048.947] lstrcmpiW (lpString1=".php", lpString2=".msi") returned 1 [0048.947] lstrlenW (lpString=".php3") returned 5 [0048.947] lstrcmpiW (lpString1=".php3", lpString2="t.msi") returned -1 [0048.948] lstrlenW (lpString=".php4") returned 5 [0048.948] lstrcmpiW (lpString1=".php4", lpString2="t.msi") returned -1 [0048.948] lstrlenW (lpString=".php5") returned 5 [0048.948] lstrcmpiW (lpString1=".php5", lpString2="t.msi") returned -1 [0048.948] lstrlenW (lpString=".phtml") returned 6 [0048.948] lstrcmpiW (lpString1=".phtml", lpString2="et.msi") returned -1 [0048.948] lstrlenW (lpString=".pict") returned 5 [0048.948] lstrcmpiW (lpString1=".pict", lpString2="t.msi") returned -1 [0048.948] lstrlenW (lpString=".pl") returned 3 [0048.948] lstrcmpiW (lpString1=".pl", lpString2="msi") returned -1 [0048.948] lstrlenW (lpString=".pls") returned 4 [0048.948] lstrcmpiW (lpString1=".pls", lpString2=".msi") returned 1 [0048.948] lstrlenW (lpString=".pm") returned 3 [0048.948] lstrcmpiW (lpString1=".pm", lpString2="msi") returned -1 [0048.948] lstrlenW (lpString=".png") returned 4 [0048.948] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0048.948] lstrlenW (lpString=".pnm") returned 4 [0048.948] lstrcmpiW (lpString1=".pnm", lpString2=".msi") returned 1 [0048.948] lstrlenW (lpString=".pot") returned 4 [0048.948] lstrcmpiW (lpString1=".pot", lpString2=".msi") returned 1 [0048.948] lstrlenW (lpString=".potm") returned 5 [0048.948] lstrcmpiW (lpString1=".potm", lpString2="t.msi") returned -1 [0048.948] lstrlenW (lpString=".potx") returned 5 [0048.948] lstrcmpiW (lpString1=".potx", lpString2="t.msi") returned -1 [0048.948] lstrlenW (lpString=".ppa") returned 4 [0048.948] lstrcmpiW (lpString1=".ppa", lpString2=".msi") returned 1 [0048.948] lstrlenW (lpString=".ppam") returned 5 [0048.948] lstrcmpiW (lpString1=".ppam", lpString2="t.msi") returned -1 [0048.948] lstrlenW (lpString=".ppm") returned 4 [0048.948] lstrcmpiW (lpString1=".ppm", lpString2=".msi") returned 1 [0048.948] lstrlenW (lpString=".pps") returned 4 [0048.948] lstrcmpiW (lpString1=".pps", lpString2=".msi") returned 1 [0048.948] lstrlenW (lpString=".ppsm") returned 5 [0048.948] lstrcmpiW (lpString1=".ppsm", lpString2="t.msi") returned -1 [0048.948] lstrlenW (lpString=".ppt") returned 4 [0048.949] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0048.949] lstrlenW (lpString=".pptm") returned 5 [0048.949] lstrcmpiW (lpString1=".pptm", lpString2="t.msi") returned -1 [0048.949] lstrlenW (lpString=".pptx") returned 5 [0048.949] lstrcmpiW (lpString1=".pptx", lpString2="t.msi") returned -1 [0048.949] lstrlenW (lpString=".prn") returned 4 [0048.949] lstrcmpiW (lpString1=".prn", lpString2=".msi") returned 1 [0048.949] lstrlenW (lpString=".ps") returned 3 [0048.949] lstrcmpiW (lpString1=".ps", lpString2="msi") returned -1 [0048.949] lstrlenW (lpString=".psb") returned 4 [0048.949] lstrcmpiW (lpString1=".psb", lpString2=".msi") returned 1 [0048.949] lstrlenW (lpString=".psd") returned 4 [0048.949] lstrcmpiW (lpString1=".psd", lpString2=".msi") returned 1 [0048.949] lstrlenW (lpString=".pst") returned 4 [0048.949] lstrcmpiW (lpString1=".pst", lpString2=".msi") returned 1 [0048.949] lstrlenW (lpString=".ptx") returned 4 [0048.949] lstrcmpiW (lpString1=".ptx", lpString2=".msi") returned 1 [0048.949] lstrlenW (lpString=".pub") returned 4 [0048.949] lstrcmpiW (lpString1=".pub", lpString2=".msi") returned 1 [0048.949] lstrlenW (lpString=".pwm") returned 4 [0048.949] lstrcmpiW (lpString1=".pwm", lpString2=".msi") returned 1 [0048.949] lstrlenW (lpString=".pxr") returned 4 [0048.949] lstrcmpiW (lpString1=".pxr", lpString2=".msi") returned 1 [0048.949] lstrlenW (lpString=".py") returned 3 [0048.949] lstrcmpiW (lpString1=".py", lpString2="msi") returned -1 [0048.949] lstrlenW (lpString=".qt") returned 3 [0048.949] lstrcmpiW (lpString1=".qt", lpString2="msi") returned -1 [0048.949] lstrlenW (lpString=".r3d") returned 4 [0048.949] lstrcmpiW (lpString1=".r3d", lpString2=".msi") returned 1 [0048.949] lstrlenW (lpString=".raf") returned 4 [0048.949] lstrcmpiW (lpString1=".raf", lpString2=".msi") returned 1 [0049.615] FindNextFileW (in: hFindFile=0x4011178, lpFindFileData=0x3baf58c | out: lpFindFileData=0x3baf58c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5cd3a40, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa8c22f80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa8c22f80, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.615] FindNextFileW (in: hFindFile=0x4011178, lpFindFileData=0x3baf58c | out: lpFindFileData=0x3baf58c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x87078450, ftCreationTime.dwHighDateTime=0x1cb147f, ftLastAccessTime.dwLowDateTime=0x87078450, ftLastAccessTime.dwHighDateTime=0x1cb147f, ftLastWriteTime.dwLowDateTime=0xa5d1e590, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x1e6600, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32WW.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0052.957] FindNextFileW (in: hFindFile=0x40112f8, lpFindFileData=0x3baf094 | out: lpFindFileData=0x3baf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d4d5410, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.957] FindNextFileW (in: hFindFile=0x40112f8, lpFindFileData=0x3baf094 | out: lpFindFileData=0x3baf094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a71ef90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x9df, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0062.091] FindNextFileW (in: hFindFile=0x4011278, lpFindFileData=0x3baf094 | out: lpFindFileData=0x3baf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5178e0b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xbd4548c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbd4548c0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.103] FindNextFileW (in: hFindFile=0x4011278, lpFindFileData=0x3baf094 | out: lpFindFileData=0x3baf094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b0e4a00, ftCreationTime.dwHighDateTime=0x1bd5ead, ftLastAccessTime.dwLowDateTime=0xbc847960, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x9b0e4a00, ftLastWriteTime.dwHighDateTime=0x1bd5ead, nFileSizeHigh=0x0, nFileSizeLow=0x3d2, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD10219_.GIF", cAlternateFileName="")) returned 1 [0071.009] FindNextFileW (in: hFindFile=0x40111b8, lpFindFileData=0x3baf094 | out: lpFindFileData=0x3baf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51b925d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x52a72f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x52a72f50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.010] FindNextFileW (in: hFindFile=0x40111b8, lpFindFileData=0x3baf094 | out: lpFindFileData=0x3baf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x52a72f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x708e7550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x708e7550, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="People", cAlternateFileName="")) returned 1 [0071.010] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\People") returned 1 [0071.010] lstrcmpiW (lpString1="C:\\Windows", lpString2="People") returned -1 [0071.010] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x4072080 [0071.010] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\People\\*", lpFindFileData=0x3baee18 | out: lpFindFileData=0x3baee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x52a72f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x708e7550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x708e7550, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x40113b8 [0071.011] FindNextFileW (in: hFindFile=0x40113b8, lpFindFileData=0x3baee18 | out: lpFindFileData=0x3baee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x52a72f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x708e7550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x708e7550, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.011] FindNextFileW (in: hFindFile=0x40113b8, lpFindFileData=0x3baee18 | out: lpFindFileData=0x3baee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6d003d00, ftCreationTime.dwHighDateTime=0x1c747ea, ftLastAccessTime.dwLowDateTime=0x604d91d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d003d00, ftLastWriteTime.dwHighDateTime=0x1c747ea, nFileSizeHigh=0x0, nFileSizeLow=0x6bd4, dwReserved0=0x0, dwReserved1=0x0, cFileName="COUGH.WAV", cAlternateFileName="")) returned 1 [0071.011] lstrcmpiW (lpString1=".1cd", lpString2=".WAV") returned -1 [0071.011] lstrcmpiW (lpString1=".3ds", lpString2=".WAV") returned -1 [0071.012] lstrcmpiW (lpString1=".3fr", lpString2=".WAV") returned -1 [0071.012] lstrcmpiW (lpString1=".3g2", lpString2=".WAV") returned -1 [0071.012] lstrcmpiW (lpString1=".3gp", lpString2=".WAV") returned -1 [0071.012] lstrcmpiW (lpString1=".7z", lpString2="WAV") returned -1 [0071.012] lstrcmpiW (lpString1=".accda", lpString2="GH.WAV") returned -1 [0071.012] lstrcmpiW (lpString1=".accdb", lpString2="GH.WAV") returned -1 [0071.012] lstrcmpiW (lpString1=".accdc", lpString2="GH.WAV") returned -1 [0071.012] lstrcmpiW (lpString1=".accde", lpString2="GH.WAV") returned -1 [0071.012] lstrcmpiW (lpString1=".accdt", lpString2="GH.WAV") returned -1 [0071.012] lstrcmpiW (lpString1=".accdw", lpString2="GH.WAV") returned -1 [0071.012] lstrcmpiW (lpString1=".adb", lpString2=".WAV") returned -1 [0071.012] lstrcmpiW (lpString1=".adp", lpString2=".WAV") returned -1 [0071.012] lstrcmpiW (lpString1=".ai", lpString2="WAV") returned -1 [0071.013] lstrcmpiW (lpString1=".ai3", lpString2=".WAV") returned -1 [0071.013] lstrcmpiW (lpString1=".ai4", lpString2=".WAV") returned -1 [0071.013] lstrcmpiW (lpString1=".ai5", lpString2=".WAV") returned -1 [0071.013] lstrcmpiW (lpString1=".ai6", lpString2=".WAV") returned -1 [0071.013] lstrcmpiW (lpString1=".ai7", lpString2=".WAV") returned -1 [0071.013] lstrcmpiW (lpString1=".ai8", lpString2=".WAV") returned -1 [0071.013] lstrcmpiW (lpString1=".anim", lpString2="H.WAV") returned -1 [0071.013] lstrcmpiW (lpString1=".arw", lpString2=".WAV") returned -1 [0071.013] lstrcmpiW (lpString1=".as", lpString2="WAV") returned -1 [0071.013] lstrcmpiW (lpString1=".asa", lpString2=".WAV") returned -1 [0071.013] lstrcmpiW (lpString1=".asc", lpString2=".WAV") returned -1 [0071.013] lstrcmpiW (lpString1=".ascx", lpString2="H.WAV") returned -1 [0071.013] lstrcmpiW (lpString1=".asm", lpString2=".WAV") returned -1 [0071.013] lstrcmpiW (lpString1=".asmx", lpString2="H.WAV") returned -1 [0071.014] lstrcmpiW (lpString1=".asp", lpString2=".WAV") returned -1 [0071.014] lstrcmpiW (lpString1=".aspx", lpString2="H.WAV") returned -1 [0071.014] lstrcmpiW (lpString1=".asr", lpString2=".WAV") returned -1 [0071.014] lstrcmpiW (lpString1=".asx", lpString2=".WAV") returned -1 [0071.014] lstrcmpiW (lpString1=".avi", lpString2=".WAV") returned -1 [0071.014] lstrcmpiW (lpString1=".avs", lpString2=".WAV") returned -1 [0071.014] lstrcmpiW (lpString1=".backup", lpString2="UGH.WAV") returned -1 [0071.014] lstrcmpiW (lpString1=".bak", lpString2=".WAV") returned -1 [0071.014] lstrcmpiW (lpString1=".bay", lpString2=".WAV") returned -1 [0071.014] lstrcmpiW (lpString1=".bd", lpString2="WAV") returned -1 [0071.014] lstrcmpiW (lpString1=".bin", lpString2=".WAV") returned -1 [0071.014] lstrcmpiW (lpString1=".bmp", lpString2=".WAV") returned -1 [0071.014] lstrcmpiW (lpString1=".bz2", lpString2=".WAV") returned -1 [0071.015] lstrcmpiW (lpString1=".c", lpString2="AV") returned -1 [0071.015] lstrcmpiW (lpString1=".cdr", lpString2=".WAV") returned -1 [0071.015] lstrcmpiW (lpString1=".cer", lpString2=".WAV") returned -1 [0071.015] lstrcmpiW (lpString1=".cf", lpString2="WAV") returned -1 [0071.015] lstrcmpiW (lpString1=".cfc", lpString2=".WAV") returned -1 [0071.015] lstrcmpiW (lpString1=".cfm", lpString2=".WAV") returned -1 [0071.015] lstrcmpiW (lpString1=".cfml", lpString2="H.WAV") returned -1 [0071.015] lstrcmpiW (lpString1=".cfu", lpString2=".WAV") returned -1 [0071.015] lstrcmpiW (lpString1=".chm", lpString2=".WAV") returned -1 [0071.015] lstrcmpiW (lpString1=".cin", lpString2=".WAV") returned -1 [0071.015] lstrcmpiW (lpString1=".class", lpString2="GH.WAV") returned -1 [0071.015] lstrcmpiW (lpString1=".clx", lpString2=".WAV") returned -1 [0071.015] lstrcmpiW (lpString1=".config", lpString2="UGH.WAV") returned -1 [0071.015] lstrcmpiW (lpString1=".cpp", lpString2=".WAV") returned -1 [0071.016] lstrcmpiW (lpString1=".cr2", lpString2=".WAV") returned -1 [0071.016] lstrcmpiW (lpString1=".crt", lpString2=".WAV") returned -1 [0071.016] lstrcmpiW (lpString1=".crw", lpString2=".WAV") returned -1 [0071.016] lstrcmpiW (lpString1=".cs", lpString2="WAV") returned -1 [0071.016] lstrcmpiW (lpString1=".css", lpString2=".WAV") returned -1 [0071.016] lstrcmpiW (lpString1=".csv", lpString2=".WAV") returned -1 [0071.016] lstrcmpiW (lpString1=".cub", lpString2=".WAV") returned -1 [0071.016] lstrcmpiW (lpString1=".dae", lpString2=".WAV") returned -1 [0071.016] lstrcmpiW (lpString1=".dat", lpString2=".WAV") returned -1 [0071.016] lstrcmpiW (lpString1=".db", lpString2="WAV") returned -1 [0071.016] lstrcmpiW (lpString1=".dbf", lpString2=".WAV") returned -1 [0071.016] lstrcmpiW (lpString1=".dbx", lpString2=".WAV") returned -1 [0071.016] lstrcmpiW (lpString1=".dc3", lpString2=".WAV") returned -1 [0071.017] lstrcmpiW (lpString1=".dcm", lpString2=".WAV") returned -1 [0071.017] lstrcmpiW (lpString1=".dcr", lpString2=".WAV") returned -1 [0071.017] lstrcmpiW (lpString1=".der", lpString2=".WAV") returned -1 [0071.017] lstrcmpiW (lpString1=".dib", lpString2=".WAV") returned -1 [0071.017] lstrcmpiW (lpString1=".dic", lpString2=".WAV") returned -1 [0071.017] lstrcmpiW (lpString1=".dif", lpString2=".WAV") returned -1 [0071.017] lstrcmpiW (lpString1=".divx", lpString2="H.WAV") returned -1 [0071.017] lstrcmpiW (lpString1=".djvu", lpString2="H.WAV") returned -1 [0071.017] lstrcmpiW (lpString1=".dng", lpString2=".WAV") returned -1 [0071.017] lstrcmpiW (lpString1=".doc", lpString2=".WAV") returned -1 [0071.017] lstrcmpiW (lpString1=".docm", lpString2="H.WAV") returned -1 [0071.017] lstrcmpiW (lpString1=".docx", lpString2="H.WAV") returned -1 [0071.017] lstrcmpiW (lpString1=".dot", lpString2=".WAV") returned -1 [0071.017] lstrcmpiW (lpString1=".dotm", lpString2="H.WAV") returned -1 [0071.018] lstrcmpiW (lpString1=".dotx", lpString2="H.WAV") returned -1 [0071.018] lstrcmpiW (lpString1=".dpx", lpString2=".WAV") returned -1 [0071.018] lstrcmpiW (lpString1=".dqy", lpString2=".WAV") returned -1 [0071.018] lstrcmpiW (lpString1=".dsn", lpString2=".WAV") returned -1 [0071.018] lstrcmpiW (lpString1=".dt", lpString2="WAV") returned -1 [0071.018] lstrcmpiW (lpString1=".dtd", lpString2=".WAV") returned -1 [0071.018] lstrcmpiW (lpString1=".dwg", lpString2=".WAV") returned -1 [0071.018] lstrcmpiW (lpString1=".dwt", lpString2=".WAV") returned -1 [0071.018] lstrcmpiW (lpString1=".dx", lpString2="WAV") returned -1 [0071.018] lstrcmpiW (lpString1=".dxf", lpString2=".WAV") returned -1 [0071.018] lstrcmpiW (lpString1=".edml", lpString2="H.WAV") returned -1 [0071.018] lstrcmpiW (lpString1=".efd", lpString2=".WAV") returned -1 [0071.018] lstrcmpiW (lpString1=".elf", lpString2=".WAV") returned -1 [0071.019] lstrcmpiW (lpString1=".emf", lpString2=".WAV") returned -1 [0071.019] lstrcmpiW (lpString1=".emz", lpString2=".WAV") returned -1 [0071.019] lstrcmpiW (lpString1=".epf", lpString2=".WAV") returned -1 [0071.019] lstrcmpiW (lpString1=".eps", lpString2=".WAV") returned -1 [0071.019] lstrcmpiW (lpString1=".epsf", lpString2="H.WAV") returned -1 [0071.019] lstrcmpiW (lpString1=".epsp", lpString2="H.WAV") returned -1 [0071.019] lstrcmpiW (lpString1=".erf", lpString2=".WAV") returned -1 [0071.019] lstrcmpiW (lpString1=".exr", lpString2=".WAV") returned -1 [0071.019] lstrcmpiW (lpString1=".f4v", lpString2=".WAV") returned -1 [0071.019] lstrcmpiW (lpString1=".fido", lpString2="H.WAV") returned -1 [0071.019] lstrcmpiW (lpString1=".flm", lpString2=".WAV") returned -1 [0071.019] lstrcmpiW (lpString1=".flv", lpString2=".WAV") returned -1 [0071.019] lstrcmpiW (lpString1=".frm", lpString2=".WAV") returned -1 [0071.019] lstrcmpiW (lpString1=".fxg", lpString2=".WAV") returned -1 [0071.020] lstrcmpiW (lpString1=".geo", lpString2=".WAV") returned -1 [0071.020] lstrcmpiW (lpString1=".gif", lpString2=".WAV") returned -1 [0071.020] lstrcmpiW (lpString1=".grs", lpString2=".WAV") returned -1 [0071.020] lstrcmpiW (lpString1=".gz", lpString2="WAV") returned -1 [0071.020] lstrcmpiW (lpString1=".h", lpString2="AV") returned -1 [0071.020] lstrcmpiW (lpString1=".hdr", lpString2=".WAV") returned -1 [0071.020] lstrcmpiW (lpString1=".hpp", lpString2=".WAV") returned -1 [0071.020] lstrcmpiW (lpString1=".hta", lpString2=".WAV") returned -1 [0071.020] lstrcmpiW (lpString1=".htc", lpString2=".WAV") returned -1 [0071.020] lstrcmpiW (lpString1=".htm", lpString2=".WAV") returned -1 [0071.020] lstrcmpiW (lpString1=".html", lpString2="H.WAV") returned -1 [0071.020] lstrcmpiW (lpString1=".icb", lpString2=".WAV") returned -1 [0071.020] lstrcmpiW (lpString1=".ics", lpString2=".WAV") returned -1 [0071.022] lstrcmpiW (lpString1=".iff", lpString2=".WAV") returned -1 [0071.022] lstrcmpiW (lpString1=".inc", lpString2=".WAV") returned -1 [0071.022] lstrcmpiW (lpString1=".indd", lpString2="H.WAV") returned -1 [0071.022] lstrcmpiW (lpString1=".ini", lpString2=".WAV") returned -1 [0071.022] lstrcmpiW (lpString1=".iqy", lpString2=".WAV") returned -1 [0071.022] lstrcmpiW (lpString1=".j2c", lpString2=".WAV") returned -1 [0071.022] lstrcmpiW (lpString1=".j2k", lpString2=".WAV") returned -1 [0071.022] lstrcmpiW (lpString1=".java", lpString2="H.WAV") returned -1 [0071.022] lstrcmpiW (lpString1=".jp2", lpString2=".WAV") returned -1 [0071.022] lstrcmpiW (lpString1=".jpc", lpString2=".WAV") returned -1 [0071.023] lstrcmpiW (lpString1=".jpe", lpString2=".WAV") returned -1 [0071.023] lstrcmpiW (lpString1=".jpeg", lpString2="H.WAV") returned -1 [0071.023] lstrcmpiW (lpString1=".jpf", lpString2=".WAV") returned -1 [0071.023] lstrcmpiW (lpString1=".jpg", lpString2=".WAV") returned -1 [0071.023] lstrcmpiW (lpString1=".jpx", lpString2=".WAV") returned -1 [0071.023] lstrcmpiW (lpString1=".js", lpString2="WAV") returned -1 [0071.023] lstrcmpiW (lpString1=".jsf", lpString2=".WAV") returned -1 [0071.023] lstrcmpiW (lpString1=".json", lpString2="H.WAV") returned -1 [0071.023] lstrcmpiW (lpString1=".jsp", lpString2=".WAV") returned -1 [0071.023] lstrcmpiW (lpString1=".kdc", lpString2=".WAV") returned -1 [0071.023] lstrcmpiW (lpString1=".kmz", lpString2=".WAV") returned -1 [0071.023] lstrcmpiW (lpString1=".kwm", lpString2=".WAV") returned -1 [0071.023] lstrcmpiW (lpString1=".lasso", lpString2="GH.WAV") returned -1 [0071.024] lstrcmpiW (lpString1=".lbi", lpString2=".WAV") returned -1 [0071.024] lstrcmpiW (lpString1=".lgf", lpString2=".WAV") returned -1 [0071.024] lstrcmpiW (lpString1=".lgp", lpString2=".WAV") returned -1 [0071.024] lstrcmpiW (lpString1=".log", lpString2=".WAV") returned -1 [0071.024] lstrcmpiW (lpString1=".m1v", lpString2=".WAV") returned -1 [0071.024] lstrcmpiW (lpString1=".m4a", lpString2=".WAV") returned -1 [0071.024] lstrcmpiW (lpString1=".m4v", lpString2=".WAV") returned -1 [0071.024] lstrcmpiW (lpString1=".max", lpString2=".WAV") returned -1 [0071.024] lstrcmpiW (lpString1=".md", lpString2="WAV") returned -1 [0071.024] lstrcmpiW (lpString1=".mda", lpString2=".WAV") returned -1 [0071.024] lstrcmpiW (lpString1=".mdb", lpString2=".WAV") returned -1 [0071.024] lstrcmpiW (lpString1=".mde", lpString2=".WAV") returned -1 [0071.024] lstrcmpiW (lpString1=".mdf", lpString2=".WAV") returned -1 [0071.025] lstrcmpiW (lpString1=".mdw", lpString2=".WAV") returned -1 [0071.025] lstrcmpiW (lpString1=".mef", lpString2=".WAV") returned -1 [0071.025] lstrcmpiW (lpString1=".mft", lpString2=".WAV") returned -1 [0071.025] lstrcmpiW (lpString1=".mfw", lpString2=".WAV") returned -1 [0071.025] lstrcmpiW (lpString1=".mht", lpString2=".WAV") returned -1 [0071.025] lstrcmpiW (lpString1=".mhtml", lpString2="GH.WAV") returned -1 [0071.025] lstrcmpiW (lpString1=".mka", lpString2=".WAV") returned -1 [0071.025] lstrcmpiW (lpString1=".mkidx", lpString2="GH.WAV") returned -1 [0071.025] lstrcmpiW (lpString1=".mkv", lpString2=".WAV") returned -1 [0071.025] lstrcmpiW (lpString1=".mos", lpString2=".WAV") returned -1 [0071.025] lstrcmpiW (lpString1=".mov", lpString2=".WAV") returned -1 [0071.025] lstrcmpiW (lpString1=".mp3", lpString2=".WAV") returned -1 [0071.025] lstrcmpiW (lpString1=".mp4", lpString2=".WAV") returned -1 [0071.026] lstrcmpiW (lpString1=".mpeg", lpString2="H.WAV") returned -1 [0071.026] lstrcmpiW (lpString1=".mpg", lpString2=".WAV") returned -1 [0071.026] lstrcmpiW (lpString1=".mpv", lpString2=".WAV") returned -1 [0071.026] lstrcmpiW (lpString1=".mrw", lpString2=".WAV") returned -1 [0071.026] lstrcmpiW (lpString1=".msg", lpString2=".WAV") returned -1 [0071.026] lstrcmpiW (lpString1=".mxl", lpString2=".WAV") returned -1 [0071.026] lstrcmpiW (lpString1=".myd", lpString2=".WAV") returned -1 [0071.026] lstrcmpiW (lpString1=".myi", lpString2=".WAV") returned -1 [0071.026] lstrcmpiW (lpString1=".nef", lpString2=".WAV") returned -1 [0071.026] lstrcmpiW (lpString1=".nrw", lpString2=".WAV") returned -1 [0071.026] lstrcmpiW (lpString1=".obj", lpString2=".WAV") returned -1 [0071.026] lstrcmpiW (lpString1=".odb", lpString2=".WAV") returned -1 [0071.026] lstrcmpiW (lpString1=".odc", lpString2=".WAV") returned -1 [0071.026] lstrcmpiW (lpString1=".odm", lpString2=".WAV") returned -1 [0071.027] lstrcmpiW (lpString1=".odp", lpString2=".WAV") returned -1 [0071.027] lstrcmpiW (lpString1=".ods", lpString2=".WAV") returned -1 [0071.027] lstrcmpiW (lpString1=".oft", lpString2=".WAV") returned -1 [0071.027] lstrcmpiW (lpString1=".one", lpString2=".WAV") returned -1 [0071.027] lstrcmpiW (lpString1=".onepkg", lpString2="UGH.WAV") returned -1 [0071.027] lstrcmpiW (lpString1=".onetoc2", lpString2="OUGH.WAV") returned -1 [0071.027] lstrcmpiW (lpString1=".opt", lpString2=".WAV") returned -1 [0071.027] lstrcmpiW (lpString1=".oqy", lpString2=".WAV") returned -1 [0071.027] lstrcmpiW (lpString1=".orf", lpString2=".WAV") returned -1 [0071.027] lstrcmpiW (lpString1=".p12", lpString2=".WAV") returned -1 [0071.027] lstrcmpiW (lpString1=".p7b", lpString2=".WAV") returned -1 [0071.027] lstrcmpiW (lpString1=".p7c", lpString2=".WAV") returned -1 [0071.027] lstrcmpiW (lpString1=".pam", lpString2=".WAV") returned -1 [0071.027] lstrcmpiW (lpString1=".pbm", lpString2=".WAV") returned -1 [0071.028] lstrcmpiW (lpString1=".pct", lpString2=".WAV") returned -1 [0071.028] lstrcmpiW (lpString1=".pcx", lpString2=".WAV") returned -1 [0071.028] lstrcmpiW (lpString1=".pdd", lpString2=".WAV") returned -1 [0071.028] lstrcmpiW (lpString1=".pdf", lpString2=".WAV") returned -1 [0071.028] lstrcmpiW (lpString1=".pdp", lpString2=".WAV") returned -1 [0071.028] lstrcmpiW (lpString1=".pef", lpString2=".WAV") returned -1 [0071.028] lstrcmpiW (lpString1=".pem", lpString2=".WAV") returned -1 [0071.028] lstrcmpiW (lpString1=".pff", lpString2=".WAV") returned -1 [0071.028] lstrcmpiW (lpString1=".pfm", lpString2=".WAV") returned -1 [0071.028] lstrcmpiW (lpString1=".pfx", lpString2=".WAV") returned -1 [0071.028] lstrcmpiW (lpString1=".pgm", lpString2=".WAV") returned -1 [0071.028] lstrcmpiW (lpString1=".php", lpString2=".WAV") returned -1 [0071.028] lstrcmpiW (lpString1=".php3", lpString2="H.WAV") returned -1 [0071.029] lstrcmpiW (lpString1=".php4", lpString2="H.WAV") returned -1 [0071.029] lstrcmpiW (lpString1=".php5", lpString2="H.WAV") returned -1 [0071.029] lstrcmpiW (lpString1=".phtml", lpString2="GH.WAV") returned -1 [0071.029] lstrcmpiW (lpString1=".pict", lpString2="H.WAV") returned -1 [0071.029] lstrcmpiW (lpString1=".pl", lpString2="WAV") returned -1 [0071.029] lstrcmpiW (lpString1=".pls", lpString2=".WAV") returned -1 [0071.029] lstrcmpiW (lpString1=".pm", lpString2="WAV") returned -1 [0071.029] lstrcmpiW (lpString1=".png", lpString2=".WAV") returned -1 [0071.029] lstrcmpiW (lpString1=".pnm", lpString2=".WAV") returned -1 [0071.029] lstrcmpiW (lpString1=".pot", lpString2=".WAV") returned -1 [0071.029] lstrcmpiW (lpString1=".potm", lpString2="H.WAV") returned -1 [0071.029] lstrcmpiW (lpString1=".potx", lpString2="H.WAV") returned -1 [0071.029] lstrcmpiW (lpString1=".ppa", lpString2=".WAV") returned -1 [0071.029] lstrcmpiW (lpString1=".ppam", lpString2="H.WAV") returned -1 [0071.030] lstrcmpiW (lpString1=".ppm", lpString2=".WAV") returned -1 [0071.030] lstrcmpiW (lpString1=".pps", lpString2=".WAV") returned -1 [0071.030] lstrcmpiW (lpString1=".ppsm", lpString2="H.WAV") returned -1 [0071.030] lstrcmpiW (lpString1=".ppt", lpString2=".WAV") returned -1 [0071.030] lstrcmpiW (lpString1=".pptm", lpString2="H.WAV") returned -1 [0071.030] lstrcmpiW (lpString1=".pptx", lpString2="H.WAV") returned -1 [0071.030] lstrcmpiW (lpString1=".prn", lpString2=".WAV") returned -1 [0071.030] lstrcmpiW (lpString1=".ps", lpString2="WAV") returned -1 [0071.030] lstrcmpiW (lpString1=".psb", lpString2=".WAV") returned -1 [0071.030] lstrcmpiW (lpString1=".psd", lpString2=".WAV") returned -1 [0071.030] lstrcmpiW (lpString1=".pst", lpString2=".WAV") returned -1 [0071.030] lstrcmpiW (lpString1=".ptx", lpString2=".WAV") returned -1 [0071.030] lstrcmpiW (lpString1=".pub", lpString2=".WAV") returned -1 [0071.031] lstrcmpiW (lpString1=".pwm", lpString2=".WAV") returned -1 [0071.031] lstrcmpiW (lpString1=".pxr", lpString2=".WAV") returned -1 [0071.031] lstrcmpiW (lpString1=".py", lpString2="WAV") returned -1 [0071.031] lstrcmpiW (lpString1=".qt", lpString2="WAV") returned -1 [0071.031] lstrcmpiW (lpString1=".r3d", lpString2=".WAV") returned -1 [0071.031] lstrcmpiW (lpString1=".raf", lpString2=".WAV") returned -1 [0071.031] lstrcmpiW (lpString1=".rar", lpString2=".WAV") returned -1 [0071.032] FindClose (in: hFindFile=0x40113b8 | out: hFindFile=0x40113b8) returned 1 [0071.033] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x4072080 | out: hHeap=0x5f0000) returned 1 [0071.033] FindNextFileW (in: hFindFile=0x40111b8, lpFindFileData=0x3baf094 | out: lpFindFileData=0x3baf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51b925d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d547830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d547830, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Places", cAlternateFileName="")) returned 1 [0071.033] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places") returned 63 [0071.033] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\*", lpFindFileData=0x3baee18 | out: lpFindFileData=0x3baee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51b925d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d547830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d547830, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x40113b8 [0071.100] FindNextFileW (in: hFindFile=0x40113b8, lpFindFileData=0x3baee18 | out: lpFindFileData=0x3baee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51b925d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d547830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d547830, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.100] FindNextFileW (in: hFindFile=0x40113b8, lpFindFileData=0x3baee18 | out: lpFindFileData=0x3baee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6d003d00, ftCreationTime.dwHighDateTime=0x1c747ea, ftLastAccessTime.dwLowDateTime=0x5eb686b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d003d00, ftLastWriteTime.dwHighDateTime=0x1c747ea, nFileSizeHigh=0x0, nFileSizeLow=0x84e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ALARM.WAV", cAlternateFileName="")) returned 1 [0071.100] lstrlenW (lpString="ALARM.WAV") returned 9 [0071.100] lstrlenW (lpString=".1cd") returned 4 [0071.101] FindClose (hFindFile=0x40113b8) Thread: id = 26 os_tid = 0x814 Process: id = "2" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x4aef8000" os_pid = "0x5b8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xa1c" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\"" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 4 os_tid = 0x64 [0044.895] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfe90 | out: lpSystemTimeAsFileTime=0x1cfe90*(dwLowDateTime=0xfb77bbc0, dwHighDateTime=0x1d6830a)) [0044.895] GetCurrentProcessId () returned 0x5b8 [0044.895] GetCurrentThreadId () returned 0x64 [0044.895] GetTickCount () returned 0x1144a79 [0044.895] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfe98 | out: lpPerformanceCount=0x1cfe98*=16516718941) returned 1 [0044.896] GetModuleHandleW (lpModuleName=0x0) returned 0x4a250000 [0044.896] __set_app_type (_Type=0x1) [0044.896] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a277810) returned 0x0 [0044.896] __getmainargs (in: _Argc=0x4a29a608, _Argv=0x4a29a618, _Env=0x4a29a610, _DoWildCard=0, _StartInfo=0x4a27e0f4 | out: _Argc=0x4a29a608, _Argv=0x4a29a618, _Env=0x4a29a610) returned 0 [0044.897] GetCurrentThreadId () returned 0x64 [0044.897] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x64) returned 0x3c [0044.897] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0044.897] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0044.897] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0044.898] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0044.898] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1cfe28 | out: phkResult=0x1cfe28*=0x0) returned 0x2 [0044.898] VirtualQuery (in: lpAddress=0x1cfe10, lpBuffer=0x1cfd90, dwLength=0x30 | out: lpBuffer=0x1cfd90*(BaseAddress=0x1cf000, AllocationBase=0xd0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0044.898] VirtualQuery (in: lpAddress=0xd0000, lpBuffer=0x1cfd90, dwLength=0x30 | out: lpBuffer=0x1cfd90*(BaseAddress=0xd0000, AllocationBase=0xd0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0044.898] VirtualQuery (in: lpAddress=0xd1000, lpBuffer=0x1cfd90, dwLength=0x30 | out: lpBuffer=0x1cfd90*(BaseAddress=0xd1000, AllocationBase=0xd0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0044.898] VirtualQuery (in: lpAddress=0xd4000, lpBuffer=0x1cfd90, dwLength=0x30 | out: lpBuffer=0x1cfd90*(BaseAddress=0xd4000, AllocationBase=0xd0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0044.898] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x1cfd90, dwLength=0x30 | out: lpBuffer=0x1cfd90*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x2000, State=0x1000, Protect=0x4, Type=0x40000, __alignment2=0x0)) returned 0x30 [0044.898] GetConsoleOutputCP () returned 0x1b5 [0045.101] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1 [0045.102] SetConsoleCtrlHandler (HandlerRoutine=0x4a273184, Add=1) returned 1 [0045.102] _get_osfhandle (_FileHandle=1) returned 0xf8 [0045.102] SetConsoleMode (hConsoleHandle=0xf8, dwMode=0x0) returned 0 [0045.102] _get_osfhandle (_FileHandle=1) returned 0xf8 [0045.102] GetConsoleMode (in: hConsoleHandle=0xf8, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 0 [0045.102] _get_osfhandle (_FileHandle=0) returned 0xec [0045.102] GetConsoleMode (in: hConsoleHandle=0xec, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 0 [0045.102] GetEnvironmentStringsW () returned 0x278a60* [0045.103] GetProcessHeap () returned 0x260000 [0045.103] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0xa7c) returned 0x2794f0 [0045.103] FreeEnvironmentStringsW (penv=0x278a60) returned 1 [0045.103] GetProcessHeap () returned 0x260000 [0045.103] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x8) returned 0x2788e0 [0045.103] GetEnvironmentStringsW () returned 0x278a60* [0045.103] GetProcessHeap () returned 0x260000 [0045.103] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0xa7c) returned 0x279f80 [0045.103] FreeEnvironmentStringsW (penv=0x278a60) returned 1 [0045.103] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1cece8 | out: phkResult=0x1cece8*=0x44) returned 0x0 [0045.103] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1cece0, lpData=0x1ced00, lpcbData=0x1cece4*=0x1000 | out: lpType=0x1cece0*=0x0, lpData=0x1ced00*=0x18, lpcbData=0x1cece4*=0x1000) returned 0x2 [0045.103] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1cece0, lpData=0x1ced00, lpcbData=0x1cece4*=0x1000 | out: lpType=0x1cece0*=0x4, lpData=0x1ced00*=0x1, lpcbData=0x1cece4*=0x4) returned 0x0 [0045.104] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1cece0, lpData=0x1ced00, lpcbData=0x1cece4*=0x1000 | out: lpType=0x1cece0*=0x0, lpData=0x1ced00*=0x1, lpcbData=0x1cece4*=0x1000) returned 0x2 [0045.104] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1cece0, lpData=0x1ced00, lpcbData=0x1cece4*=0x1000 | out: lpType=0x1cece0*=0x4, lpData=0x1ced00*=0x0, lpcbData=0x1cece4*=0x4) returned 0x0 [0045.115] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1cece0, lpData=0x1ced00, lpcbData=0x1cece4*=0x1000 | out: lpType=0x1cece0*=0x4, lpData=0x1ced00*=0x40, lpcbData=0x1cece4*=0x4) returned 0x0 [0045.115] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1cece0, lpData=0x1ced00, lpcbData=0x1cece4*=0x1000 | out: lpType=0x1cece0*=0x4, lpData=0x1ced00*=0x40, lpcbData=0x1cece4*=0x4) returned 0x0 [0045.115] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1cece0, lpData=0x1ced00, lpcbData=0x1cece4*=0x1000 | out: lpType=0x1cece0*=0x0, lpData=0x1ced00*=0x40, lpcbData=0x1cece4*=0x1000) returned 0x2 [0045.115] RegCloseKey (hKey=0x44) returned 0x0 [0045.115] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1cece8 | out: phkResult=0x1cece8*=0x44) returned 0x0 [0045.116] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1cece0, lpData=0x1ced00, lpcbData=0x1cece4*=0x1000 | out: lpType=0x1cece0*=0x0, lpData=0x1ced00*=0x40, lpcbData=0x1cece4*=0x1000) returned 0x2 [0045.116] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1cece0, lpData=0x1ced00, lpcbData=0x1cece4*=0x1000 | out: lpType=0x1cece0*=0x4, lpData=0x1ced00*=0x1, lpcbData=0x1cece4*=0x4) returned 0x0 [0045.116] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1cece0, lpData=0x1ced00, lpcbData=0x1cece4*=0x1000 | out: lpType=0x1cece0*=0x0, lpData=0x1ced00*=0x1, lpcbData=0x1cece4*=0x1000) returned 0x2 [0045.116] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1cece0, lpData=0x1ced00, lpcbData=0x1cece4*=0x1000 | out: lpType=0x1cece0*=0x4, lpData=0x1ced00*=0x0, lpcbData=0x1cece4*=0x4) returned 0x0 [0045.116] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1cece0, lpData=0x1ced00, lpcbData=0x1cece4*=0x1000 | out: lpType=0x1cece0*=0x4, lpData=0x1ced00*=0x9, lpcbData=0x1cece4*=0x4) returned 0x0 [0045.116] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1cece0, lpData=0x1ced00, lpcbData=0x1cece4*=0x1000 | out: lpType=0x1cece0*=0x4, lpData=0x1ced00*=0x9, lpcbData=0x1cece4*=0x4) returned 0x0 [0045.116] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1cece0, lpData=0x1ced00, lpcbData=0x1cece4*=0x1000 | out: lpType=0x1cece0*=0x0, lpData=0x1ced00*=0x9, lpcbData=0x1cece4*=0x1000) returned 0x2 [0045.116] RegCloseKey (hKey=0x44) returned 0x0 [0045.116] time (in: timer=0x0 | out: timer=0x0) returned 0x5f52c000 [0045.116] srand (_Seed=0x5f52c000) [0045.116] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\"" [0045.116] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\"" [0045.116] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a28c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0045.116] GetProcessHeap () returned 0x260000 [0045.116] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x218) returned 0x27aa10 [0045.116] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x27aa20, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0045.117] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0045.117] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0045.117] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0045.117] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0045.117] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0045.117] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0045.117] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0045.117] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0045.117] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0045.117] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0045.117] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0045.117] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0045.117] GetProcessHeap () returned 0x260000 [0045.117] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x2794f0 | out: hHeap=0x260000) returned 1 [0045.117] GetEnvironmentStringsW () returned 0x278a60* [0045.117] GetProcessHeap () returned 0x260000 [0045.117] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0xa94) returned 0x27ac30 [0045.118] FreeEnvironmentStringsW (penv=0x278a60) returned 1 [0045.118] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0045.118] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0045.118] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0045.118] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0045.118] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0045.118] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0045.118] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0045.118] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0045.118] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0045.118] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0045.118] GetProcessHeap () returned 0x260000 [0045.118] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x5c) returned 0x27b6d0 [0045.118] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1cfaf0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0045.118] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x1cfaf0, lpFilePart=0x1cfad0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x1cfad0*="Desktop") returned 0x25 [0045.118] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0045.118] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1cf800 | out: lpFindFileData=0x1cf800*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0x27b740 [0045.118] FindClose (in: hFindFile=0x27b740 | out: hFindFile=0x27b740) returned 1 [0045.119] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x1cf800 | out: lpFindFileData=0x1cf800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x27b740 [0045.119] FindClose (in: hFindFile=0x27b740 | out: hFindFile=0x27b740) returned 1 [0045.119] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0045.119] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x1cf800 | out: lpFindFileData=0x1cf800*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xf2cfca80, ftLastAccessTime.dwHighDateTime=0x1d6830a, ftLastWriteTime.dwLowDateTime=0xf2cfca80, ftLastWriteTime.dwHighDateTime=0x1d6830a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0x27b740 [0045.119] FindClose (in: hFindFile=0x27b740 | out: hFindFile=0x27b740) returned 1 [0045.119] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0045.119] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0045.119] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0045.119] GetProcessHeap () returned 0x260000 [0045.119] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27ac30 | out: hHeap=0x260000) returned 1 [0045.119] GetEnvironmentStringsW () returned 0x27b740* [0045.120] GetProcessHeap () returned 0x260000 [0045.120] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0xae8) returned 0x27c230 [0045.120] FreeEnvironmentStringsW (penv=0x27b740) returned 1 [0045.120] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a28c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0045.120] GetProcessHeap () returned 0x260000 [0045.120] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27b6d0 | out: hHeap=0x260000) returned 1 [0045.120] GetProcessHeap () returned 0x260000 [0045.120] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x4016) returned 0x27cd20 [0045.120] GetProcessHeap () returned 0x260000 [0045.120] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27cd20 | out: hHeap=0x260000) returned 1 [0045.120] GetConsoleOutputCP () returned 0x1b5 [0045.121] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1 [0045.121] GetUserDefaultLCID () returned 0x409 [0045.121] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a287b50, cchData=8 | out: lpLCData=":") returned 2 [0045.121] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1cfc00, cchData=128 | out: lpLCData="0") returned 2 [0045.121] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1cfc00, cchData=128 | out: lpLCData="0") returned 2 [0045.121] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1cfc00, cchData=128 | out: lpLCData="1") returned 2 [0045.121] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a29a740, cchData=8 | out: lpLCData="/") returned 2 [0045.122] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a29a4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0045.122] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a29a460, cchData=32 | out: lpLCData="Tue") returned 4 [0045.122] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a29a420, cchData=32 | out: lpLCData="Wed") returned 4 [0045.122] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a29a3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0045.122] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a29a3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0045.122] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a29a360, cchData=32 | out: lpLCData="Sat") returned 4 [0045.122] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a29a700, cchData=32 | out: lpLCData="Sun") returned 4 [0045.122] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a287b40, cchData=8 | out: lpLCData=".") returned 2 [0045.122] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a29a4e0, cchData=8 | out: lpLCData=",") returned 2 [0045.122] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0045.123] GetProcessHeap () returned 0x260000 [0045.123] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x20c) returned 0x2795c0 [0045.123] GetConsoleTitleW (in: lpConsoleTitle=0x2795c0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0045.123] _get_osfhandle (_FileHandle=1) returned 0xf8 [0045.123] GetFileType (hFile=0xf8) returned 0x3 [0045.123] BrandingFormatString () returned 0x2797e0 [0045.128] GetVersion () returned 0x1db10106 [0045.128] _vsnwprintf (in: _Buffer=0x1cfd70, _BufferCount=0x1f, _Format="%d.%d.%04d", _ArgList=0x1cfd08 | out: _Buffer="6.1.7601") returned 8 [0045.128] _get_osfhandle (_FileHandle=1) returned 0xf8 [0045.128] GetFileType (hFile=0xf8) returned 0x3 [0045.128] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x4a296340, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Microsoft Windows [Version %1]") returned 0x1e [0045.128] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x4a296340, nSize=0x2000, Arguments=0x1cfd10 | out: lpBuffer="Microsoft Windows [Version 6.1.7601]") returned 0x24 [0045.128] _get_osfhandle (_FileHandle=1) returned 0xf8 [0045.128] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Microsoft Windows [Version 6.1.7601]", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft Windows [Version 6.1.7601]", lpUsedDefaultChar=0x0) returned 37 [0045.128] WriteFile (in: hFile=0xf8, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x24, lpNumberOfBytesWritten=0x1cfc98, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1cfc98*=0x24, lpOverlapped=0x0) returned 1 [0045.129] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x1cfd38 | out: _Buffer="\r\n") returned 2 [0045.129] _get_osfhandle (_FileHandle=1) returned 0xf8 [0045.129] GetFileType (hFile=0xf8) returned 0x3 [0045.129] _get_osfhandle (_FileHandle=1) returned 0xf8 [0045.129] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0045.129] WriteFile (in: hFile=0xf8, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1cfd08, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1cfd08*=0x2, lpOverlapped=0x0) returned 1 [0045.129] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s", _ArgList=0x1cfd38 | out: _Buffer="Copyright (c) 2009 Microsoft Corporation. All rights reserved.") returned 63 [0045.129] _get_osfhandle (_FileHandle=1) returned 0xf8 [0045.129] GetFileType (hFile=0xf8) returned 0x3 [0045.129] _get_osfhandle (_FileHandle=1) returned 0xf8 [0045.129] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Copyright (c) 2009 Microsoft Corporation. All rights reserved.", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Copyright (c) 2009 Microsoft Corporation. All rights reserved.", lpUsedDefaultChar=0x0) returned 64 [0045.129] WriteFile (in: hFile=0xf8, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x3f, lpNumberOfBytesWritten=0x1cfd08, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1cfd08*=0x3f, lpOverlapped=0x0) returned 1 [0045.129] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x1cfd38 | out: _Buffer="\r\n") returned 2 [0045.129] _get_osfhandle (_FileHandle=1) returned 0xf8 [0045.129] GetFileType (hFile=0xf8) returned 0x3 [0045.129] _get_osfhandle (_FileHandle=1) returned 0xf8 [0045.129] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0045.129] WriteFile (in: hFile=0xf8, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1cfd08, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1cfd08*=0x2, lpOverlapped=0x0) returned 1 [0045.130] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0045.130] GetProcAddress (hModule=0x77940000, lpProcName="CopyFileExW") returned 0x779523d0 [0045.130] GetProcAddress (hModule=0x77940000, lpProcName="IsDebuggerPresent") returned 0x77948290 [0045.130] GetProcAddress (hModule=0x77940000, lpProcName="SetConsoleInputExeNameW") returned 0x779517e0 [0045.130] _get_osfhandle (_FileHandle=0) returned 0xec [0045.130] GetFileType (hFile=0xec) returned 0x3 [0045.130] _setmode (_FileHandle=0, _Mode=32768) returned 16384 [0045.131] NtOpenThreadToken (in: ThreadHandle=0xfffffffffffffffe, DesiredAccess=0x8, OpenAsSelf=0, TokenHandle=0x1cfb60 | out: TokenHandle=0x1cfb60*=0x0) returned 0xc000007c [0045.131] NtOpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x8, TokenHandle=0x1cfb60 | out: TokenHandle=0x1cfb60*=0x50) returned 0x0 [0045.131] NtQueryInformationToken (in: TokenHandle=0x50, TokenInformationClass=0x12, TokenInformation=0x1cfb70, TokenInformationLength=0x4, ReturnLength=0x1cfb78 | out: TokenInformation=0x1cfb70, ReturnLength=0x1cfb78) returned 0x0 [0045.131] NtQueryInformationToken (in: TokenHandle=0x50, TokenInformationClass=0x1a, TokenInformation=0x1cfb78, TokenInformationLength=0x4, ReturnLength=0x1cfb70 | out: TokenInformation=0x1cfb78, ReturnLength=0x1cfb70) returned 0x0 [0045.131] NtClose (Handle=0x50) returned 0x0 [0045.131] FormatMessageW (in: dwFlags=0x1900, lpSource=0x0, dwMessageId=0x40002748, dwLanguageId=0x0, lpBuffer=0x1cfb40, nSize=0x0, Arguments=0x1cfb48 | out: lpBuffer="韠'") returned 0xf [0045.131] GetProcessHeap () returned 0x260000 [0045.131] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x218) returned 0x261ab0 [0045.131] GetConsoleTitleW (in: lpConsoleTitle=0x1cfb90, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0045.131] wcsstr (_Str="C:\\Windows\\system32\\cmd.exe", _SubStr="Administrator: ") returned 0x0 [0045.132] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 1 [0045.132] GetProcessHeap () returned 0x260000 [0045.132] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x261ab0 | out: hHeap=0x260000) returned 1 [0045.133] LocalFree (hMem=0x2797e0) returned 0x0 [0045.133] GetProcessHeap () returned 0x260000 [0045.133] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27aa10 | out: hHeap=0x260000) returned 1 [0045.133] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x1cf878 | out: _Buffer="\r\n") returned 2 [0045.133] _get_osfhandle (_FileHandle=1) returned 0xf8 [0045.133] GetFileType (hFile=0xf8) returned 0x3 [0045.133] _get_osfhandle (_FileHandle=1) returned 0xf8 [0045.133] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0045.133] WriteFile (in: hFile=0xf8, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1cf848, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1cf848*=0x2, lpOverlapped=0x0) returned 1 [0045.133] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0045.133] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a28c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0045.133] _vsnwprintf (in: _Buffer=0x4a27eb60, _BufferCount=0x3fe, _Format="%s", _ArgList=0x1cf888 | out: _Buffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 37 [0045.134] _vsnwprintf (in: _Buffer=0x4a27ebaa, _BufferCount=0x3d9, _Format="%c", _ArgList=0x1cf888 | out: _Buffer=">") returned 1 [0045.134] _get_osfhandle (_FileHandle=1) returned 0xf8 [0045.134] GetFileType (hFile=0xf8) returned 0x3 [0045.134] _get_osfhandle (_FileHandle=1) returned 0xf8 [0045.134] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop>", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop>", lpUsedDefaultChar=0x0) returned 39 [0045.134] WriteFile (in: hFile=0xf8, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x26, lpNumberOfBytesWritten=0x1cf878, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1cf878*=0x26, lpOverlapped=0x0) returned 1 [0045.134] _get_osfhandle (_FileHandle=0) returned 0xec [0045.134] GetFileType (hFile=0xec) returned 0x3 [0045.134] _get_osfhandle (_FileHandle=0) returned 0xec [0045.134] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.134] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.134] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e320, cchWideChar=1 | out: lpWideCharStr="m") returned 1 [0045.135] _get_osfhandle (_FileHandle=0) returned 0xec [0045.135] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.135] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.135] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e322, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0045.135] _get_osfhandle (_FileHandle=0) returned 0xec [0045.135] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.136] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.136] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e324, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0045.136] _get_osfhandle (_FileHandle=0) returned 0xec [0045.136] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.136] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.136] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e326, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0045.136] _get_osfhandle (_FileHandle=0) returned 0xec [0045.136] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.136] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.136] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e328, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0045.136] _get_osfhandle (_FileHandle=0) returned 0xec [0045.136] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.136] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.136] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e32a, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0045.136] _get_osfhandle (_FileHandle=0) returned 0xec [0045.136] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.136] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.136] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e32c, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0045.136] _get_osfhandle (_FileHandle=0) returned 0xec [0045.136] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.136] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.136] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e32e, cchWideChar=1 | out: lpWideCharStr="n") returned 1 [0045.136] _get_osfhandle (_FileHandle=0) returned 0xec [0045.136] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.137] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.137] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e330, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0045.137] _get_osfhandle (_FileHandle=0) returned 0xec [0045.137] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.137] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.137] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e332, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0045.137] _get_osfhandle (_FileHandle=0) returned 0xec [0045.137] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.137] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.137] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e334, cchWideChar=1 | out: lpWideCharStr="p") returned 1 [0045.137] _get_osfhandle (_FileHandle=0) returned 0xec [0045.137] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.137] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.137] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e336, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0045.137] _get_osfhandle (_FileHandle=0) returned 0xec [0045.137] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.137] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.137] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e338, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0045.137] _get_osfhandle (_FileHandle=0) returned 0xec [0045.137] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.137] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.137] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e33a, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0045.137] _get_osfhandle (_FileHandle=0) returned 0xec [0045.137] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.137] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.138] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e33c, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0045.138] _get_osfhandle (_FileHandle=0) returned 0xec [0045.138] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.138] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.138] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e33e, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0045.138] _get_osfhandle (_FileHandle=0) returned 0xec [0045.138] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.138] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.138] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e340, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0045.138] _get_osfhandle (_FileHandle=0) returned 0xec [0045.138] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.138] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.138] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e342, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0045.138] _get_osfhandle (_FileHandle=0) returned 0xec [0045.138] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.138] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.138] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e344, cchWideChar=1 | out: lpWideCharStr="=") returned 1 [0045.138] _get_osfhandle (_FileHandle=0) returned 0xec [0045.138] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.138] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.138] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e346, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0045.138] _get_osfhandle (_FileHandle=0) returned 0xec [0045.138] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.138] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.138] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e348, cchWideChar=1 | out: lpWideCharStr="2") returned 1 [0045.138] _get_osfhandle (_FileHandle=0) returned 0xec [0045.139] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.139] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.139] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e34a, cchWideChar=1 | out: lpWideCharStr="5") returned 1 [0045.139] _get_osfhandle (_FileHandle=0) returned 0xec [0045.139] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.139] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.139] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e34c, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0045.139] _get_osfhandle (_FileHandle=0) returned 0xec [0045.139] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.139] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.139] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e34e, cchWideChar=1 | out: lpWideCharStr="\n") returned 1 [0045.139] _get_osfhandle (_FileHandle=0) returned 0xec [0045.139] GetFileType (hFile=0xec) returned 0x3 [0045.140] _get_osfhandle (_FileHandle=0) returned 0xec [0045.140] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.140] _get_osfhandle (_FileHandle=1) returned 0xf8 [0045.140] GetFileType (hFile=0xf8) returned 0x3 [0045.140] _get_osfhandle (_FileHandle=1) returned 0xf8 [0045.140] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="mode con cp select=1251\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mode con cp select=1251\n", lpUsedDefaultChar=0x0) returned 25 [0045.140] WriteFile (in: hFile=0xf8, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x1cfb58, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1cfb58*=0x18, lpOverlapped=0x0) returned 1 [0045.140] GetProcessHeap () returned 0x260000 [0045.140] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x4012) returned 0x27cd20 [0045.140] GetProcessHeap () returned 0x260000 [0045.140] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27cd20 | out: hHeap=0x260000) returned 1 [0045.140] _wcsicmp (_String1="mode", _String2=")") returned 68 [0045.140] _wcsicmp (_String1="FOR", _String2="mode") returned -7 [0045.140] _wcsicmp (_String1="FOR/?", _String2="mode") returned -7 [0045.140] _wcsicmp (_String1="IF", _String2="mode") returned -4 [0045.140] _wcsicmp (_String1="IF/?", _String2="mode") returned -4 [0045.141] _wcsicmp (_String1="REM", _String2="mode") returned 5 [0045.141] _wcsicmp (_String1="REM/?", _String2="mode") returned 5 [0045.141] GetProcessHeap () returned 0x260000 [0045.141] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0xb0) returned 0x2797e0 [0045.141] GetProcessHeap () returned 0x260000 [0045.141] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x1a) returned 0x274610 [0045.141] GetProcessHeap () returned 0x260000 [0045.141] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x38) returned 0x276510 [0045.142] GetConsoleOutputCP () returned 0x1b5 [0045.142] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1 [0045.142] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0045.142] GetConsoleTitleW (in: lpConsoleTitle=0x1cfb10, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0045.143] _wcsicmp (_String1="mode", _String2="DIR") returned 9 [0045.143] _wcsicmp (_String1="mode", _String2="ERASE") returned 8 [0045.143] _wcsicmp (_String1="mode", _String2="DEL") returned 9 [0045.143] _wcsicmp (_String1="mode", _String2="TYPE") returned -7 [0045.143] _wcsicmp (_String1="mode", _String2="COPY") returned 10 [0045.143] _wcsicmp (_String1="mode", _String2="CD") returned 10 [0045.143] _wcsicmp (_String1="mode", _String2="CHDIR") returned 10 [0045.143] _wcsicmp (_String1="mode", _String2="RENAME") returned -5 [0045.143] _wcsicmp (_String1="mode", _String2="REN") returned -5 [0045.143] _wcsicmp (_String1="mode", _String2="ECHO") returned 8 [0045.143] _wcsicmp (_String1="mode", _String2="SET") returned -6 [0045.143] _wcsicmp (_String1="mode", _String2="PAUSE") returned -3 [0045.143] _wcsicmp (_String1="mode", _String2="DATE") returned 9 [0045.143] _wcsicmp (_String1="mode", _String2="TIME") returned -7 [0045.143] _wcsicmp (_String1="mode", _String2="PROMPT") returned -3 [0045.143] _wcsicmp (_String1="mode", _String2="MD") returned 11 [0045.143] _wcsicmp (_String1="mode", _String2="MKDIR") returned 4 [0045.143] _wcsicmp (_String1="mode", _String2="RD") returned -5 [0045.143] _wcsicmp (_String1="mode", _String2="RMDIR") returned -5 [0045.143] _wcsicmp (_String1="mode", _String2="PATH") returned -3 [0045.143] _wcsicmp (_String1="mode", _String2="GOTO") returned 6 [0045.143] _wcsicmp (_String1="mode", _String2="SHIFT") returned -6 [0045.143] _wcsicmp (_String1="mode", _String2="CLS") returned 10 [0045.143] _wcsicmp (_String1="mode", _String2="CALL") returned 10 [0045.143] _wcsicmp (_String1="mode", _String2="VERIFY") returned -9 [0045.143] _wcsicmp (_String1="mode", _String2="VER") returned -9 [0045.143] _wcsicmp (_String1="mode", _String2="VOL") returned -9 [0045.144] _wcsicmp (_String1="mode", _String2="EXIT") returned 8 [0045.144] _wcsicmp (_String1="mode", _String2="SETLOCAL") returned -6 [0045.144] _wcsicmp (_String1="mode", _String2="ENDLOCAL") returned 8 [0045.144] _wcsicmp (_String1="mode", _String2="TITLE") returned -7 [0045.144] _wcsicmp (_String1="mode", _String2="START") returned -6 [0045.144] _wcsicmp (_String1="mode", _String2="DPATH") returned 9 [0045.144] _wcsicmp (_String1="mode", _String2="KEYS") returned 2 [0045.144] _wcsicmp (_String1="mode", _String2="MOVE") returned -18 [0045.144] _wcsicmp (_String1="mode", _String2="PUSHD") returned -3 [0045.144] _wcsicmp (_String1="mode", _String2="POPD") returned -3 [0045.144] _wcsicmp (_String1="mode", _String2="ASSOC") returned 12 [0045.144] _wcsicmp (_String1="mode", _String2="FTYPE") returned 7 [0045.144] _wcsicmp (_String1="mode", _String2="BREAK") returned 11 [0045.144] _wcsicmp (_String1="mode", _String2="COLOR") returned 10 [0045.144] _wcsicmp (_String1="mode", _String2="MKLINK") returned 4 [0045.144] _wcsicmp (_String1="mode", _String2="DIR") returned 9 [0045.144] _wcsicmp (_String1="mode", _String2="ERASE") returned 8 [0045.144] _wcsicmp (_String1="mode", _String2="DEL") returned 9 [0045.144] _wcsicmp (_String1="mode", _String2="TYPE") returned -7 [0045.144] _wcsicmp (_String1="mode", _String2="COPY") returned 10 [0045.144] _wcsicmp (_String1="mode", _String2="CD") returned 10 [0045.144] _wcsicmp (_String1="mode", _String2="CHDIR") returned 10 [0045.144] _wcsicmp (_String1="mode", _String2="RENAME") returned -5 [0045.144] _wcsicmp (_String1="mode", _String2="REN") returned -5 [0045.144] _wcsicmp (_String1="mode", _String2="ECHO") returned 8 [0045.144] _wcsicmp (_String1="mode", _String2="SET") returned -6 [0045.144] _wcsicmp (_String1="mode", _String2="PAUSE") returned -3 [0045.144] _wcsicmp (_String1="mode", _String2="DATE") returned 9 [0045.144] _wcsicmp (_String1="mode", _String2="TIME") returned -7 [0045.144] _wcsicmp (_String1="mode", _String2="PROMPT") returned -3 [0045.144] _wcsicmp (_String1="mode", _String2="MD") returned 11 [0045.144] _wcsicmp (_String1="mode", _String2="MKDIR") returned 4 [0045.145] _wcsicmp (_String1="mode", _String2="RD") returned -5 [0045.145] _wcsicmp (_String1="mode", _String2="RMDIR") returned -5 [0045.145] _wcsicmp (_String1="mode", _String2="PATH") returned -3 [0045.145] _wcsicmp (_String1="mode", _String2="GOTO") returned 6 [0045.145] _wcsicmp (_String1="mode", _String2="SHIFT") returned -6 [0045.145] _wcsicmp (_String1="mode", _String2="CLS") returned 10 [0045.145] _wcsicmp (_String1="mode", _String2="CALL") returned 10 [0045.145] _wcsicmp (_String1="mode", _String2="VERIFY") returned -9 [0045.145] _wcsicmp (_String1="mode", _String2="VER") returned -9 [0045.145] _wcsicmp (_String1="mode", _String2="VOL") returned -9 [0045.145] _wcsicmp (_String1="mode", _String2="EXIT") returned 8 [0045.145] _wcsicmp (_String1="mode", _String2="SETLOCAL") returned -6 [0045.145] _wcsicmp (_String1="mode", _String2="ENDLOCAL") returned 8 [0045.145] _wcsicmp (_String1="mode", _String2="TITLE") returned -7 [0045.145] _wcsicmp (_String1="mode", _String2="START") returned -6 [0045.145] _wcsicmp (_String1="mode", _String2="DPATH") returned 9 [0045.145] _wcsicmp (_String1="mode", _String2="KEYS") returned 2 [0045.145] _wcsicmp (_String1="mode", _String2="MOVE") returned -18 [0045.145] _wcsicmp (_String1="mode", _String2="PUSHD") returned -3 [0045.145] _wcsicmp (_String1="mode", _String2="POPD") returned -3 [0045.145] _wcsicmp (_String1="mode", _String2="ASSOC") returned 12 [0045.145] _wcsicmp (_String1="mode", _String2="FTYPE") returned 7 [0045.145] _wcsicmp (_String1="mode", _String2="BREAK") returned 11 [0045.145] _wcsicmp (_String1="mode", _String2="COLOR") returned 10 [0045.145] _wcsicmp (_String1="mode", _String2="MKLINK") returned 4 [0045.145] _wcsicmp (_String1="mode", _String2="FOR") returned 7 [0045.145] _wcsicmp (_String1="mode", _String2="IF") returned 4 [0045.145] _wcsicmp (_String1="mode", _String2="REM") returned -5 [0045.145] GetProcessHeap () returned 0x260000 [0045.145] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x218) returned 0x261ab0 [0045.146] GetProcessHeap () returned 0x260000 [0045.146] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x42) returned 0x2798a0 [0045.146] _wcsnicmp (_String1="mode", _String2="cmd ", _MaxCount=0x4) returned 10 [0045.146] GetProcessHeap () returned 0x260000 [0045.146] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x420) returned 0x279a80 [0045.146] SetErrorMode (uMode=0x0) returned 0x0 [0045.146] SetErrorMode (uMode=0x1) returned 0x0 [0045.146] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x279a90, lpFilePart=0x1cf3a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x1cf3a0*="Desktop") returned 0x25 [0045.146] SetErrorMode (uMode=0x0) returned 0x1 [0045.146] GetProcessHeap () returned 0x260000 [0045.146] RtlReAllocateHeap (Heap=0x260000, Flags=0x0, Ptr=0x279a80, Size=0x66) returned 0x279a80 [0045.146] GetProcessHeap () returned 0x260000 [0045.146] RtlSizeHeap (HeapHandle=0x260000, Flags=0x0, MemoryPointer=0x279a80) returned 0x66 [0045.146] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0045.146] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0045.146] GetProcessHeap () returned 0x260000 [0045.146] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x128) returned 0x261cd0 [0045.146] GetProcessHeap () returned 0x260000 [0045.147] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x240) returned 0x279b00 [0045.152] GetProcessHeap () returned 0x260000 [0045.152] RtlReAllocateHeap (Heap=0x260000, Flags=0x0, Ptr=0x279b00, Size=0x12a) returned 0x279b00 [0045.152] GetProcessHeap () returned 0x260000 [0045.152] RtlSizeHeap (HeapHandle=0x260000, Flags=0x0, MemoryPointer=0x279b00) returned 0x12a [0045.152] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0045.152] GetProcessHeap () returned 0x260000 [0045.152] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0xe8) returned 0x275b70 [0045.153] GetProcessHeap () returned 0x260000 [0045.153] RtlReAllocateHeap (Heap=0x260000, Flags=0x0, Ptr=0x275b70, Size=0x7e) returned 0x275b70 [0045.153] GetProcessHeap () returned 0x260000 [0045.153] RtlSizeHeap (HeapHandle=0x260000, Flags=0x0, MemoryPointer=0x275b70) returned 0x7e [0045.159] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0045.159] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mode.*", fInfoLevelId=0x1, lpFindFileData=0x1cf110, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cf110) returned 0xffffffffffffffff [0045.159] GetLastError () returned 0x2 [0045.159] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mode", fInfoLevelId=0x1, lpFindFileData=0x1cf110, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cf110) returned 0xffffffffffffffff [0045.160] GetLastError () returned 0x2 [0045.160] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0045.160] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\mode.*", fInfoLevelId=0x1, lpFindFileData=0x1cf110, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cf110) returned 0x275c00 [0045.160] GetProcessHeap () returned 0x260000 [0045.160] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x28) returned 0x274640 [0045.160] FindClose (in: hFindFile=0x275c00 | out: hFindFile=0x275c00) returned 1 [0045.160] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\mode.COM", fInfoLevelId=0x1, lpFindFileData=0x1cf110, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cf110) returned 0x275c00 [0045.160] GetProcessHeap () returned 0x260000 [0045.160] RtlReAllocateHeap (Heap=0x260000, Flags=0x0, Ptr=0x274640, Size=0x8) returned 0x2798f0 [0045.160] FindClose (in: hFindFile=0x275c00 | out: hFindFile=0x275c00) returned 1 [0045.160] _wcsicmp (_String1=".COM", _String2=".BAT") returned 1 [0045.160] _wcsicmp (_String1=".COM", _String2=".CMD") returned 2 [0045.160] GetConsoleTitleW (in: lpConsoleTitle=0x1cf660, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0045.161] GetProcessHeap () returned 0x260000 [0045.161] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x21c) returned 0x279c40 [0045.161] GetConsoleTitleW (in: lpConsoleTitle=0x279c50, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0045.161] GetProcessHeap () returned 0x260000 [0045.161] RtlReAllocateHeap (Heap=0x260000, Flags=0x0, Ptr=0x279c40, Size=0xa8) returned 0x279c40 [0045.161] GetProcessHeap () returned 0x260000 [0045.161] RtlSizeHeap (HeapHandle=0x260000, Flags=0x0, MemoryPointer=0x279c40) returned 0xa8 [0045.161] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe - mode con cp select=1251") returned 1 [0045.161] GetProcessHeap () returned 0x260000 [0045.161] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279c40 | out: hHeap=0x260000) returned 1 [0045.161] InitializeProcThreadAttributeList (in: lpAttributeList=0x1cf418, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1cf3d8 | out: lpAttributeList=0x1cf418, lpSize=0x1cf3d8) returned 1 [0045.161] UpdateProcThreadAttribute (in: lpAttributeList=0x1cf418, dwFlags=0x0, Attribute=0x60001, lpValue=0x1cf3c8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1cf418, lpPreviousValue=0x0) returned 1 [0045.161] GetStartupInfoW (in: lpStartupInfo=0x1cf530 | out: lpStartupInfo=0x1cf530*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xec, hStdOutput=0xf8, hStdError=0xf8)) [0045.162] GetProcessHeap () returned 0x260000 [0045.162] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x20) returned 0x274640 [0045.162] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0045.162] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0045.162] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0045.162] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0045.162] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0045.162] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0045.162] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0045.162] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0045.162] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0045.162] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0045.162] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0045.162] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0045.162] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0045.162] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0045.162] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0045.162] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0045.162] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0045.162] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0045.162] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0045.162] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0045.162] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0045.162] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0045.162] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0045.162] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0045.162] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0045.162] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0045.162] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0045.162] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0045.162] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0045.162] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0045.162] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0045.162] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0045.162] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0045.162] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0045.163] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0045.163] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0045.163] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0045.163] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0045.163] GetProcessHeap () returned 0x260000 [0045.163] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x274640 | out: hHeap=0x260000) returned 1 [0045.163] GetProcessHeap () returned 0x260000 [0045.163] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x12) returned 0x278900 [0045.163] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\mode.com", lpCommandLine="mode con cp select=1251", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1cf450*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="mode con cp select=1251", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1cf400 | out: lpCommandLine="mode con cp select=1251", lpProcessInformation=0x1cf400*(hProcess=0x54, hThread=0x50, dwProcessId=0x2a8, dwThreadId=0x7cc)) returned 1 [0045.170] CloseHandle (hObject=0x50) returned 1 [0045.170] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0045.170] GetProcessHeap () returned 0x260000 [0045.170] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27c230 | out: hHeap=0x260000) returned 1 [0045.170] GetEnvironmentStringsW () returned 0x27aa10* [0045.170] GetProcessHeap () returned 0x260000 [0045.170] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0xae8) returned 0x27b500 [0045.171] FreeEnvironmentStringsW (penv=0x27aa10) returned 1 [0045.171] LoadLibraryW (lpLibFileName="NTDLL.DLL") returned 0x77a60000 [0045.171] GetProcAddress (hModule=0x77a60000, lpProcName="NtQueryInformationProcess") returned 0x77ab14a0 [0045.171] NtQueryInformationProcess (in: ProcessHandle=0x54, ProcessInformationClass=0x0, ProcessInformation=0x1ced08, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x1ced08, ReturnLength=0x0) returned 0x0 [0045.171] ReadProcessMemory (in: hProcess=0x54, lpBaseAddress=0x7fffffd4000, lpBuffer=0x1ced40, nSize=0x380, lpNumberOfBytesRead=0x1ced00 | out: lpBuffer=0x1ced40*, lpNumberOfBytesRead=0x1ced00*=0x380) returned 1 [0045.173] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0045.970] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x1cf348 | out: lpExitCode=0x1cf348*=0x0) returned 1 [0045.970] CloseHandle (hObject=0x54) returned 1 [0045.970] _vsnwprintf (in: _Buffer=0x1cf5b8, _BufferCount=0x13, _Format="%08X", _ArgList=0x1cf358 | out: _Buffer="00000000") returned 8 [0045.970] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0045.970] GetProcessHeap () returned 0x260000 [0045.970] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27b500 | out: hHeap=0x260000) returned 1 [0045.970] GetEnvironmentStringsW () returned 0x27aa10* [0045.970] GetProcessHeap () returned 0x260000 [0045.970] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0xb0e) returned 0x27eb10 [0045.970] FreeEnvironmentStringsW (penv=0x27aa10) returned 1 [0045.970] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0045.971] GetProcessHeap () returned 0x260000 [0045.971] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27eb10 | out: hHeap=0x260000) returned 1 [0045.971] GetEnvironmentStringsW () returned 0x27aa10* [0045.971] GetProcessHeap () returned 0x260000 [0045.971] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0xb0e) returned 0x27eb10 [0045.971] FreeEnvironmentStringsW (penv=0x27aa10) returned 1 [0045.971] GetProcessHeap () returned 0x260000 [0045.971] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x278900 | out: hHeap=0x260000) returned 1 [0045.971] DeleteProcThreadAttributeList (in: lpAttributeList=0x1cf418 | out: lpAttributeList=0x1cf418) [0045.975] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 1 [0045.976] _get_osfhandle (_FileHandle=1) returned 0xf8 [0045.976] SetConsoleMode (hConsoleHandle=0xf8, dwMode=0x0) returned 0 [0045.976] _get_osfhandle (_FileHandle=1) returned 0xf8 [0045.976] GetConsoleMode (in: hConsoleHandle=0xf8, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 0 [0045.976] _get_osfhandle (_FileHandle=0) returned 0xec [0045.976] GetConsoleMode (in: hConsoleHandle=0xec, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 0 [0045.976] GetConsoleOutputCP () returned 0x4e3 [0045.977] GetCPInfo (in: CodePage=0x4e3, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1 [0045.977] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0045.978] GetProcessHeap () returned 0x260000 [0045.978] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x275b70 | out: hHeap=0x260000) returned 1 [0045.978] GetProcessHeap () returned 0x260000 [0045.978] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279b00 | out: hHeap=0x260000) returned 1 [0045.978] GetProcessHeap () returned 0x260000 [0045.978] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x261cd0 | out: hHeap=0x260000) returned 1 [0045.978] GetProcessHeap () returned 0x260000 [0045.978] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279a80 | out: hHeap=0x260000) returned 1 [0045.978] GetProcessHeap () returned 0x260000 [0045.978] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x2798a0 | out: hHeap=0x260000) returned 1 [0045.978] GetProcessHeap () returned 0x260000 [0045.978] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x261ab0 | out: hHeap=0x260000) returned 1 [0045.978] GetProcessHeap () returned 0x260000 [0045.978] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x276510 | out: hHeap=0x260000) returned 1 [0045.978] GetProcessHeap () returned 0x260000 [0045.978] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x274610 | out: hHeap=0x260000) returned 1 [0045.978] GetProcessHeap () returned 0x260000 [0045.978] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x2797e0 | out: hHeap=0x260000) returned 1 [0045.978] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x1cf878 | out: _Buffer="\r\n") returned 2 [0045.978] _get_osfhandle (_FileHandle=1) returned 0xf8 [0045.978] GetFileType (hFile=0xf8) returned 0x3 [0045.978] _get_osfhandle (_FileHandle=1) returned 0xf8 [0045.979] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0045.979] WriteFile (in: hFile=0xf8, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1cf848, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1cf848*=0x2, lpOverlapped=0x0) returned 1 [0045.979] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0045.979] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a28c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0045.979] _vsnwprintf (in: _Buffer=0x4a27eb60, _BufferCount=0x3fe, _Format="%s", _ArgList=0x1cf888 | out: _Buffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 37 [0045.979] _vsnwprintf (in: _Buffer=0x4a27ebaa, _BufferCount=0x3d9, _Format="%c", _ArgList=0x1cf888 | out: _Buffer=">") returned 1 [0045.979] _get_osfhandle (_FileHandle=1) returned 0xf8 [0045.979] GetFileType (hFile=0xf8) returned 0x3 [0045.979] _get_osfhandle (_FileHandle=1) returned 0xf8 [0045.979] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop>", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop>", lpUsedDefaultChar=0x0) returned 39 [0045.979] WriteFile (in: hFile=0xf8, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x26, lpNumberOfBytesWritten=0x1cf878, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1cf878*=0x26, lpOverlapped=0x0) returned 1 [0045.979] _get_osfhandle (_FileHandle=0) returned 0xec [0045.979] GetFileType (hFile=0xec) returned 0x3 [0045.979] _get_osfhandle (_FileHandle=0) returned 0xec [0045.979] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.979] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.980] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e320, cchWideChar=1 | out: lpWideCharStr="vode con cp select=1251\n") returned 1 [0045.980] _get_osfhandle (_FileHandle=0) returned 0xec [0045.980] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.980] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.980] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e322, cchWideChar=1 | out: lpWideCharStr="sde con cp select=1251\n") returned 1 [0045.980] _get_osfhandle (_FileHandle=0) returned 0xec [0045.980] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.980] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.980] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e324, cchWideChar=1 | out: lpWideCharStr="se con cp select=1251\n") returned 1 [0045.980] _get_osfhandle (_FileHandle=0) returned 0xec [0045.980] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.980] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.980] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e326, cchWideChar=1 | out: lpWideCharStr="a con cp select=1251\n") returned 1 [0045.980] _get_osfhandle (_FileHandle=0) returned 0xec [0045.980] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.980] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.980] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e328, cchWideChar=1 | out: lpWideCharStr="dcon cp select=1251\n") returned 1 [0045.980] _get_osfhandle (_FileHandle=0) returned 0xec [0045.980] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.980] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.981] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e32a, cchWideChar=1 | out: lpWideCharStr="mon cp select=1251\n") returned 1 [0045.981] _get_osfhandle (_FileHandle=0) returned 0xec [0045.981] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.981] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.981] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e32c, cchWideChar=1 | out: lpWideCharStr="in cp select=1251\n") returned 1 [0045.981] _get_osfhandle (_FileHandle=0) returned 0xec [0045.981] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.981] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.981] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e32e, cchWideChar=1 | out: lpWideCharStr="n cp select=1251\n") returned 1 [0045.981] _get_osfhandle (_FileHandle=0) returned 0xec [0045.981] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.981] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.981] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e330, cchWideChar=1 | out: lpWideCharStr=" cp select=1251\n") returned 1 [0045.981] _get_osfhandle (_FileHandle=0) returned 0xec [0045.981] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.981] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.981] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e332, cchWideChar=1 | out: lpWideCharStr="dp select=1251\n") returned 1 [0045.981] _get_osfhandle (_FileHandle=0) returned 0xec [0045.981] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.981] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.982] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e334, cchWideChar=1 | out: lpWideCharStr="e select=1251\n") returned 1 [0045.982] _get_osfhandle (_FileHandle=0) returned 0xec [0045.982] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.982] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.982] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e336, cchWideChar=1 | out: lpWideCharStr="lselect=1251\n") returned 1 [0045.982] _get_osfhandle (_FileHandle=0) returned 0xec [0045.982] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.982] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.982] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e338, cchWideChar=1 | out: lpWideCharStr="eelect=1251\n") returned 1 [0045.982] _get_osfhandle (_FileHandle=0) returned 0xec [0045.982] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.982] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.982] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e33a, cchWideChar=1 | out: lpWideCharStr="tlect=1251\n") returned 1 [0045.982] _get_osfhandle (_FileHandle=0) returned 0xec [0045.982] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.982] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.982] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e33c, cchWideChar=1 | out: lpWideCharStr="eect=1251\n") returned 1 [0045.982] _get_osfhandle (_FileHandle=0) returned 0xec [0045.982] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.982] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.983] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e33e, cchWideChar=1 | out: lpWideCharStr=" ct=1251\n") returned 1 [0045.983] _get_osfhandle (_FileHandle=0) returned 0xec [0045.983] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.983] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.983] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e340, cchWideChar=1 | out: lpWideCharStr="st=1251\n") returned 1 [0045.983] _get_osfhandle (_FileHandle=0) returned 0xec [0045.983] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.983] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.983] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e342, cchWideChar=1 | out: lpWideCharStr="h=1251\n") returned 1 [0045.983] _get_osfhandle (_FileHandle=0) returned 0xec [0045.983] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.983] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.983] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e344, cchWideChar=1 | out: lpWideCharStr="a1251\n") returned 1 [0045.983] _get_osfhandle (_FileHandle=0) returned 0xec [0045.983] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.984] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.984] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e346, cchWideChar=1 | out: lpWideCharStr="d251\n") returned 1 [0045.984] _get_osfhandle (_FileHandle=0) returned 0xec [0045.984] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.984] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.984] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e348, cchWideChar=1 | out: lpWideCharStr="o51\n") returned 1 [0045.984] _get_osfhandle (_FileHandle=0) returned 0xec [0045.984] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.984] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.984] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e34a, cchWideChar=1 | out: lpWideCharStr="w1\n") returned 1 [0045.984] _get_osfhandle (_FileHandle=0) returned 0xec [0045.984] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.984] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.984] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e34c, cchWideChar=1 | out: lpWideCharStr="s\n") returned 1 [0045.984] _get_osfhandle (_FileHandle=0) returned 0xec [0045.984] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.984] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.984] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e34e, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0045.984] _get_osfhandle (_FileHandle=0) returned 0xec [0045.984] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.984] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.985] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e350, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0045.985] _get_osfhandle (_FileHandle=0) returned 0xec [0045.985] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.985] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.985] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e352, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0045.985] _get_osfhandle (_FileHandle=0) returned 0xec [0045.985] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.985] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.985] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e354, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0045.985] _get_osfhandle (_FileHandle=0) returned 0xec [0045.985] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.985] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.985] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e356, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0045.985] _get_osfhandle (_FileHandle=0) returned 0xec [0045.985] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.985] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.985] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e358, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0045.985] _get_osfhandle (_FileHandle=0) returned 0xec [0045.985] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.985] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.986] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e35a, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0045.986] _get_osfhandle (_FileHandle=0) returned 0xec [0045.986] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.986] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.986] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e35c, cchWideChar=1 | out: lpWideCharStr="q") returned 1 [0045.986] _get_osfhandle (_FileHandle=0) returned 0xec [0045.986] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.986] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.986] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e35e, cchWideChar=1 | out: lpWideCharStr="u") returned 1 [0045.986] _get_osfhandle (_FileHandle=0) returned 0xec [0045.986] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.986] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.986] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e360, cchWideChar=1 | out: lpWideCharStr="i") returned 1 [0045.986] _get_osfhandle (_FileHandle=0) returned 0xec [0045.986] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.986] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.986] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e362, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0045.986] _get_osfhandle (_FileHandle=0) returned 0xec [0045.986] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.986] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.987] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e364, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0045.987] _get_osfhandle (_FileHandle=0) returned 0xec [0045.987] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.987] ReadFile (in: hFile=0xec, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cfb78, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1cfb78*=0x1, lpOverlapped=0x0) returned 1 [0045.987] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a28c320, cbMultiByte=1, lpWideCharStr=0x4a28e366, cchWideChar=1 | out: lpWideCharStr="\n") returned 1 [0045.987] _get_osfhandle (_FileHandle=0) returned 0xec [0045.987] GetFileType (hFile=0xec) returned 0x3 [0045.987] _get_osfhandle (_FileHandle=0) returned 0xec [0045.987] SetFilePointer (in: hFile=0xec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.987] _get_osfhandle (_FileHandle=1) returned 0xf8 [0045.987] GetFileType (hFile=0xf8) returned 0x3 [0045.987] _get_osfhandle (_FileHandle=1) returned 0xf8 [0045.987] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="vssadmin delete shadows /all /quiet\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vssadmin delete shadows /all /quiet\n", lpUsedDefaultChar=0x0) returned 37 [0045.987] WriteFile (in: hFile=0xf8, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x24, lpNumberOfBytesWritten=0x1cfb58, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1cfb58*=0x24, lpOverlapped=0x0) returned 1 [0045.987] GetProcessHeap () returned 0x260000 [0045.987] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x4012) returned 0x27f630 [0045.988] GetProcessHeap () returned 0x260000 [0045.988] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27f630 | out: hHeap=0x260000) returned 1 [0045.988] GetProcessHeap () returned 0x260000 [0045.988] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0xb0) returned 0x2797e0 [0045.988] GetProcessHeap () returned 0x260000 [0045.988] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x22) returned 0x274610 [0045.989] GetProcessHeap () returned 0x260000 [0045.989] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x48) returned 0x27aa90 [0045.989] GetConsoleOutputCP () returned 0x4e3 [0045.989] GetCPInfo (in: CodePage=0x4e3, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1 [0045.989] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0045.989] GetConsoleTitleW (in: lpConsoleTitle=0x1cfb10, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0045.989] GetProcessHeap () returned 0x260000 [0045.989] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x218) returned 0x279910 [0045.990] GetProcessHeap () returned 0x260000 [0045.990] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x5a) returned 0x279b30 [0045.990] GetProcessHeap () returned 0x260000 [0045.990] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x420) returned 0x279090 [0045.990] SetErrorMode (uMode=0x0) returned 0x0 [0045.990] SetErrorMode (uMode=0x1) returned 0x0 [0045.990] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x2790a0, lpFilePart=0x1cf3a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x1cf3a0*="Desktop") returned 0x25 [0045.990] SetErrorMode (uMode=0x0) returned 0x1 [0045.990] GetProcessHeap () returned 0x260000 [0045.990] RtlReAllocateHeap (Heap=0x260000, Flags=0x0, Ptr=0x279090, Size=0x6e) returned 0x279090 [0045.990] GetProcessHeap () returned 0x260000 [0045.990] RtlSizeHeap (HeapHandle=0x260000, Flags=0x0, MemoryPointer=0x279090) returned 0x6e [0045.990] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0045.990] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0045.990] GetProcessHeap () returned 0x260000 [0045.990] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x128) returned 0x275b70 [0045.990] GetProcessHeap () returned 0x260000 [0045.990] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x240) returned 0x261ab0 [0045.990] GetProcessHeap () returned 0x260000 [0045.990] RtlReAllocateHeap (Heap=0x260000, Flags=0x0, Ptr=0x261ab0, Size=0x12a) returned 0x261ab0 [0045.991] GetProcessHeap () returned 0x260000 [0045.991] RtlSizeHeap (HeapHandle=0x260000, Flags=0x0, MemoryPointer=0x261ab0) returned 0x12a [0045.991] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0045.991] GetProcessHeap () returned 0x260000 [0045.991] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0xe8) returned 0x279db0 [0045.991] GetProcessHeap () returned 0x260000 [0045.991] RtlReAllocateHeap (Heap=0x260000, Flags=0x0, Ptr=0x279db0, Size=0x7e) returned 0x279db0 [0045.991] GetProcessHeap () returned 0x260000 [0045.991] RtlSizeHeap (HeapHandle=0x260000, Flags=0x0, MemoryPointer=0x279db0) returned 0x7e [0045.991] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0045.991] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x1cf110, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cf110) returned 0xffffffffffffffff [0045.991] GetLastError () returned 0x2 [0045.991] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin", fInfoLevelId=0x1, lpFindFileData=0x1cf110, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cf110) returned 0xffffffffffffffff [0045.991] GetLastError () returned 0x2 [0045.992] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0045.992] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x1cf110, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cf110) returned 0x279ba0 [0045.992] FindClose (in: hFindFile=0x279ba0 | out: hFindFile=0x279ba0) returned 1 [0045.992] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x1cf110, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cf110) returned 0xffffffffffffffff [0045.992] GetLastError () returned 0x2 [0045.992] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x1cf110, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cf110) returned 0x279ba0 [0045.992] FindClose (in: hFindFile=0x279ba0 | out: hFindFile=0x279ba0) returned 1 [0045.992] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0045.992] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0045.992] GetConsoleTitleW (in: lpConsoleTitle=0x1cf660, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0045.993] GetProcessHeap () returned 0x260000 [0045.993] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x21c) returned 0x279110 [0045.993] GetConsoleTitleW (in: lpConsoleTitle=0x279120, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0045.993] GetProcessHeap () returned 0x260000 [0045.993] RtlReAllocateHeap (Heap=0x260000, Flags=0x0, Ptr=0x279110, Size=0xc0) returned 0x279110 [0045.993] GetProcessHeap () returned 0x260000 [0045.993] RtlSizeHeap (HeapHandle=0x260000, Flags=0x0, MemoryPointer=0x279110) returned 0xc0 [0045.993] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe - vssadmin delete shadows /all /quiet") returned 1 [0045.994] GetProcessHeap () returned 0x260000 [0045.994] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279110 | out: hHeap=0x260000) returned 1 [0045.994] InitializeProcThreadAttributeList (in: lpAttributeList=0x1cf418, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1cf3d8 | out: lpAttributeList=0x1cf418, lpSize=0x1cf3d8) returned 1 [0045.994] UpdateProcThreadAttribute (in: lpAttributeList=0x1cf418, dwFlags=0x0, Attribute=0x60001, lpValue=0x1cf3c8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1cf418, lpPreviousValue=0x0) returned 1 [0045.994] GetStartupInfoW (in: lpStartupInfo=0x1cf530 | out: lpStartupInfo=0x1cf530*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xec, hStdOutput=0xf8, hStdError=0xf8)) [0045.994] GetProcessHeap () returned 0x260000 [0045.994] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x20) returned 0x274640 [0045.994] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0045.994] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0045.994] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0045.994] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0045.994] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0045.994] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0045.994] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0045.994] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0045.994] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0045.994] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0045.994] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0045.994] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0045.994] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0045.994] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0045.995] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0045.995] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0045.995] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0045.995] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0045.995] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0045.995] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0045.995] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0045.995] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0045.995] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0045.995] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0045.995] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0045.995] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0045.995] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0045.995] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0045.995] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0045.995] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0045.995] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0045.995] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0045.995] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0045.995] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0045.995] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0045.995] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0045.995] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0045.995] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0045.995] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0045.995] GetProcessHeap () returned 0x260000 [0045.995] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x274640 | out: hHeap=0x260000) returned 1 [0045.995] GetProcessHeap () returned 0x260000 [0045.995] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x12) returned 0x278900 [0045.996] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin delete shadows /all /quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1cf450*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin delete shadows /all /quiet", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1cf400 | out: lpCommandLine="vssadmin delete shadows /all /quiet", lpProcessInformation=0x1cf400*(hProcess=0x50, hThread=0x54, dwProcessId=0x7ac, dwThreadId=0x408)) returned 1 [0046.185] CloseHandle (hObject=0x54) returned 1 [0046.185] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0046.185] GetProcessHeap () returned 0x260000 [0046.185] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27eb10 | out: hHeap=0x260000) returned 1 [0046.185] GetEnvironmentStringsW () returned 0x27eb10* [0046.185] GetProcessHeap () returned 0x260000 [0046.185] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0xb0e) returned 0x27f630 [0046.185] FreeEnvironmentStringsW (penv=0x27eb10) returned 1 [0046.185] NtQueryInformationProcess (in: ProcessHandle=0x50, ProcessInformationClass=0x0, ProcessInformation=0x1ced08, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x1ced08, ReturnLength=0x0) returned 0x0 [0046.185] ReadProcessMemory (in: hProcess=0x50, lpBaseAddress=0x7fffffdd000, lpBuffer=0x1ced40, nSize=0x380, lpNumberOfBytesRead=0x1ced00 | out: lpBuffer=0x1ced40*, lpNumberOfBytesRead=0x1ced00*=0x380) returned 1 [0046.185] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) Process: id = "3" image_name = "mode.com" filename = "c:\\windows\\system32\\mode.com" page_root = "0x4b98e000" os_pid = "0x2a8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x5b8" cmd_line = "mode con cp select=1251" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 9 os_tid = 0x7cc Process: id = "4" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0x4c7b5000" os_pid = "0x7ac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x5b8" cmd_line = "vssadmin delete shadows /all /quiet" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 16 os_tid = 0x408 Thread: id = 22 os_tid = 0x620 Thread: id = 23 os_tid = 0x54c Thread: id = 24 os_tid = 0x71c Thread: id = 25 os_tid = 0x560 Process: id = "5" image_name = "vssvc.exe" filename = "c:\\windows\\system32\\vssvc.exe" page_root = "0x4a12a000" os_pid = "0x79c" os_integrity_level = "0x4000" os_privileges = "0xe60b7e890" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\vssvc.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\VSS" [0xe], "NT AUTHORITY\\Logon Session 00000000:000599c7" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 27 os_tid = 0x804 Thread: id = 28 os_tid = 0x644 Thread: id = 29 os_tid = 0x434 Thread: id = 30 os_tid = 0x6dc [0049.567] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x104dbe0 | out: lpSystemTimeAsFileTime=0x104dbe0*(dwLowDateTime=0xfcb1f140, dwHighDateTime=0x1d6830a)) [0049.567] GetCurrentProcessId () returned 0x79c [0049.567] GetCurrentThreadId () returned 0x6dc [0049.567] GetTickCount () returned 0x1145284 [0049.567] QueryPerformanceCounter (in: lpPerformanceCount=0x104dbe8 | out: lpPerformanceCount=0x104dbe8*=16983906805) returned 1 [0049.567] malloc (_Size=0x100) returned 0x428e80 Thread: id = 31 os_tid = 0x48c Thread: id = 32 os_tid = 0x36c Thread: id = 33 os_tid = 0x114 Thread: id = 34 os_tid = 0x844 Thread: id = 41 os_tid = 0x8a8 Thread: id = 42 os_tid = 0x974 Process: id = "6" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x49c2f000" os_pid = "0x824" os_integrity_level = "0x4000" os_privileges = "0x60814080" monitor_reason = "rpc_server" parent_id = "5" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\System32\\svchost.exe -k swprv" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\swprv" [0xe], "NT AUTHORITY\\Logon Session 00000000:00059f82" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 35 os_tid = 0x8b4 Thread: id = 36 os_tid = 0x894 Thread: id = 37 os_tid = 0x884 Thread: id = 38 os_tid = 0x874 Thread: id = 39 os_tid = 0x864 Thread: id = 40 os_tid = 0x834 Thread: id = 43 os_tid = 0x9e4